Cisco Discloses Zero-Day XSS Vulnerability in Prime Collaboration Deployment Software

by | Apr 27, 2023 | News

Premium Content

Patreon
Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

Cisco Zero-Day Vulnerability in Prime Collaboration Deployment Software Discovered, Could Lead to Cross-Site Scripting Attacks

Cisco has disclosed a zero-day vulnerability in its Prime Collaboration Deployment (PCD) software that could be used for cross-site scripting attacks. The flaw was discovered in the web-based management interface of Cisco PCD 14 and earlier by a researcher at the NATO Cyber Security Centre.

The bug could allow unauthenticated attackers to launch remote cross-site scripting attacks, but user interaction is required. Cisco has warned that the vulnerability exists because the web-based management interface does not properly validate user-supplied input. The company is expected to release security updates to address the flaw next month, and no workarounds are currently available.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Cisco yet to patch zero-day IP Phone flaw disclosed in December 2023

In addition to this latest vulnerability, Cisco also has to patch another high-severity IP Phone zero-day vulnerability that was disclosed in December 2023. The bug (CVE-2022-20968) affects Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier.

Cisco’s PSIRT had warned in December that the vulnerability had been publicly discussed, and that proof-of-concept exploit code was available. While the company had promised to release security updates in January 2023, the bug remains unpatched months after the initial disclosure.

Workaround Involves Disabling Cisco Discovery Protocol

Although Cisco did not provide a workaround for this IP Phone zero-day vulnerability, the company advised admins to apply temporary mitigation measures, such as disabling the Cisco Discovery Protocol on affected devices supporting Link Layer Discovery Protocol (LLDP) as a fallback option.

Cisco has warned that this is not a trivial change and will require careful evaluation of potential impacts to devices.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This