CVE-2023-20218

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-20218
A vulnerability in web-based management interface of Cisco SPA500 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to to modify a web page in the context of a user's browser. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites, or the attacker could use this vulnerability to conduct further client-side attacks. Cisco will not release software updates that address this vulnerability. {{value}} ["%7b%7bvalue%7d%7d"])}]]

6.1 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-web-multi-7kvPmu2F Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:cisco:spa500ds_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa500ds:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:cisco:spa500s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa500s:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:cisco:spa501g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa501g:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:cisco:spa502g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa502g:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:cisco:spa504g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa504g:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:cisco:spa508g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa508g:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:cisco:spa509g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa509g:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:cisco:spa512g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa512g:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:cisco:spa514g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa514g:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:cisco:spa525_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa525:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:cisco:spa525g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa525g:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:cisco:spa525g2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa525g2:-:*:*:*:*:*:*:*
History

09 Aug 2023, 15:55

Type Values Removed Values Added
First Time Cisco spa501g Firmware
Cisco spa525g
Cisco spa504g Firmware
Cisco spa512g
Cisco spa501g
Cisco spa500ds
Cisco spa514g Firmware
Cisco spa502g
Cisco spa525
Cisco spa508g
Cisco spa502g Firmware
Cisco spa512g Firmware
Cisco spa525g2 Firmware
Cisco spa504g
Cisco spa500ds Firmware
Cisco spa525g2
Cisco spa508g Firmware
Cisco spa514g
Cisco spa500s Firmware
Cisco spa509g
Cisco spa500s
Cisco
Cisco spa509g Firmware
Cisco spa525g Firmware
Cisco spa525 Firmware
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1
References (MISC) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-web-multi-7kvPmu2F - (MISC) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-web-multi-7kvPmu2F - Vendor Advisory
CWE CWE-79
CPE cpe:2.3:o:cisco:spa508g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa509g:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa525:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa501g:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa525g:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa509g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa504g:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa500s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa502g:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa525g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa525g2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa502g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa525g2:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa514g:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa512g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa504g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa508g:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa500s:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa525_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa512g:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa514g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa500ds_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:spa500ds:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa501g_firmware:-:*:*:*:*:*:*:*

03 Aug 2023, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-08-03 22:15

Updated : 2024-01-25 17:15

NVD link : CVE-2023-20218

Mitre link : CVE-2023-20218

JSON object : View

Products Affected

cisco

  • spa509g
  • spa500ds_firmware
  • spa525g
  • spa508g_firmware
  • spa512g_firmware
  • spa501g
  • spa500ds
  • spa500s
  • spa525g2_firmware
  • spa525_firmware
  • spa508g
  • spa504g
  • spa514g
  • spa512g
  • spa500s_firmware
  • spa509g_firmware
  • spa504g_firmware
  • spa502g_firmware
  • spa525g2
  • spa501g_firmware
  • spa502g
  • spa514g_firmware
  • spa525
  • spa525g_firmware
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')