Cisco disclosed today a zero-day vulnerability in the company’s Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.
This server management utility enables admins to perform migration or upgrade tasks on servers in their organization’s inventory.
Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre (NCSC).
Successful exploitation enables unauthenticated attackers to launch cross-site scripting attacks remotely but requires user interaction.
“This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link,” Cisco explains.
“A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.”
While Cisco shared info on the flaw’s impact, the company will release security updates to address it sometime next month. For now, no workarounds are available to remove the attack vector.
Luckily, the Cisco Product Security Incident Response Team (PSIRT) has yet to find any evidence of malicious use in the wild and is unaware of public exploit code targeting the bug.
Cisco Prime Collaboration Deployment Release | First Fixed Release |
---|---|
14 and earlier | 14SU3 (May 2023) |
Zero-day disclosed in December still waiting for a patch
Cisco also has to patch another high-severity IP Phone zero-day (CVE-2022-20968) with publicly available exploit code, disclosed in early December 2023.
Cisco’s PSIRT warned at the time that it’s “aware that proof-of-concept exploit code is available” and that the “vulnerability has been publicly discussed.”
While the company promised security updates would be released in January 2023, the bug remains unpatched months after the initial disclosure.
Devices impacted by CVE-2022-20968 include Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier.
Even though Cisco didn’t provide a workaround for this IP Phone zero-day, it advised admins to apply temporary mitigation measures, which requires disabling the Cisco Discovery Protocol on affected devices supporting Link Layer Discovery Protocol (LLDP) as a fallback option.
“This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise,” the company warned at the time.