CVE-2024-20378

EPSS 0.43%
Published 01.05.2024 17:15:28
Last modified 21.11.2024 08:52:30
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the web-based management interface of Cisco IP Phone firmware could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device.  

 This vulnerability is due to a lack of authentication for specific endpoints of the web-based management interface on an affected device. An attacker could exploit this vulnerability by connecting to the affected device. A successful exploit could allow the attacker to gain unauthorized access to the device, enabling the recording of user credentials and traffic to and from the affected device, including VoIP calls that could be replayed.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Vendorcisco

≫

Product ip_phone_6871_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_6821_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_6851_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_7821_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_6861_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_6825_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_6841_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_7811_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_7841_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_7861_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product ip_phone_8800_series_with_multiplatform_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Vendorcisco

≫

Product video_phone_8875_firmware

Default Statusunknown

Version <= 12.0.4

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.43%	0.62

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
psirt@cisco.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-multi-vulns-cXAhCvS

https://nvd.nist.gov/vuln/detail/CVE-2024-20378

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-20378

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-20378

EUVD