Cisco on Wednesday rolled out security updates to deal with a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Sequence goods.
The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring technique and is explained as a command injection bug in the web-based mostly management interface arising owing to inadequate validation of consumer-equipped enter.
Productive exploitation of the bug could enable an unauthenticated, remote attacker to inject arbitrary commands that are executed with the maximum privileges on the fundamental operating technique.
“An attacker could exploit this vulnerability by sending a crafted request to the web-primarily based management interface,” Cisco mentioned in an inform released on March 1, 2023.
Also patched by the company is a high-severity denial-of-company (DoS) vulnerability impacting the identical set of products, as very well as the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series.
CVE-2023-20079 (CVSS score: 7.5), also a result of insufficient validation of consumer-equipped input in the web-based mostly administration interface, could be abused by an adversary to trigger a DoS affliction.
Even though Cisco has introduced Cisco Multiplatform Firmware model 11.3.7SR1 to resolve CVE-2023-20078, the enterprise said it does not plan to fix CVE-2023-20079, as each the Unified IP Conference Phone models have entered end-of-life (EoL).
The organization reported it’s not aware of any malicious exploitation attempts targeting the flaw. It also mentioned the flaws were found all through internal security testing.
The advisory arrives as Aruba Networks, a subsidiary of Hewlett Packard Organization, produced an update to ArubaOS to remediate multiple unauthenticated command injection and stack-based mostly buffer overflow flaws (from CVE-2023-22747 as a result of CVE-2023-22752, CVSS scores: 9.8) that could end result in code execution.
Identified this article intriguing? Comply with us on Twitter and LinkedIn to study extra exclusive information we article.
Some parts of this article are sourced from:
thehackernews.com