Advisory on Vulnerabilities in Cisco Multiple Products

  • NIC-CERT/2023-03/051
  • Date: 2023-03-03
  • CVE ID: Multiple
  • Severity: Critical
    1. Description:

Cisco has released security updates to address vulnerability in Cisco software. A remote attacker could exploit some of the vulnerability to take control of an affected system.

B. Affected Products:

The following table gives the list of products affected, CVE IDs and overview of vulnerabilities:

Name of the Vulnerability

CVE ID

Affected Product

Remediation

Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities

CVE-2023-20078

CVE-2023-20079

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco Multiplatform Firmware:

  • IP Phone 6800 Series with Multiplatform Firmware
  • IP Phone 7800 Series with Multiplatform Firmware
  • IP Phone 8800 Series with Multiplatform Firmware

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco Multiplatform Firmware or Cisco Unified Software:

  • IP Phone 6800 Series with Multiplatform Firmware
  • IP Phone 7800 Series with Multiplatform Firmware
  • IP Phone 8800 Series with Multiplatform Firmware
  • Unified IP Conference Phone 8831
  • Unified IP Conference Phone 8831 with Multiplatform Firmware
  • Unified IP Phone 7900 Series

There are no workarounds that address these vulnerabilities.

Cisco Webex App for Web Cross-Site Scripting Vulnerability

CVE-2023-20104

This vulnerability affects Cisco Webex App for Web, which is cloud based.

There are no workarounds that address this vulnerability.

Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability

CVE-2023-20088

At the time of publication, this vulnerability affected Cisco Finesse only if the reverse proxy was installed and requests to the reverse proxy were routed through the load balancer.

The following Cisco products, which may be bundled with Cisco Finesse, were also affected by this vulnerability:

  • Packaged Contact Center Enterprise (PCCE)
  • Unified Contact Center Enterprise (UCCE)
  • Unified Contact Center Express (UCCX)

A workaround for this vulnerability is available for customers who cannot upgrade to a fixed release. To coordinate implementation of the workaround, contact theCisco Technical Assistance Center (TAC).

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Cisco Unified Intelligence Center Vulnerabilities

CVE-2023-20061

CVE-2023-20062

At the time of publication, these vulnerabilities affected Cisco Unified Intelligence Center.

The following Cisco products that may be bundled with Cisco Unified Intelligence Center are also affected by these vulnerabilities:

  • Packaged Contact Center Enterprise (Packaged CCE)
  • Unified Contact Center Enterprise (Unified CCE)
  • Unified Contact Center Express (Unified CCX)

There are no workarounds that address this vulnerability.

Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability

CVE-2023-20069

At the time of publication, this vulnerability affected Cisco Prime Infrastructure and Cisco EPN Manager.

There are no workarounds that address this vulnerability.

Users are advised to visit following URL’s and follow the steps to apply fixes.

https://tools.cisco.com/security/center/publicationListing.x

D. References:

https://tools.cisco.com/security/center/publicationListing.x