Cisco today disclosed a zero-day vulnerability in the company’s Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.
This server management utility allow administrators to perform migration or upgrade tasks on their organization’s inventory servers.
Tracked as CVE-2023-20060, the bug was found in the web management interface of Cisco PCD 14 and earlier versions by Pierre Vivegnis of the NATO Cyber Security Center (NCSC).
Successful exploitation allows unauthenticated attackers to launch cross-site scripting attacks remotely, but requires user interaction.
“This vulnerability exists because the web-based management interface does not properly validate user-provided input. An attacker could exploit this vulnerability by tricking a user of the interface into clicking a specially crafted link,” said said Cisco. explain.
“A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.”
While Cisco has shared information about the impact of the flaw, the company will release security updates to address it next month. Currently, there is no workaround available to remove the attack vector.
Fortunately, the Cisco Product Security Incident Response Team (PSIRT) has not yet found any evidence of malicious use in the wild and is not aware of any public exploit code targeting the bug.
|Cisco Prime Collaboration Deployment Version||First fixed version|
|14 years and older||14SU3 (May 2023)|
Zero-day unveiled in December still awaiting a patch
Cisco also needs to patch another Zero-day high-gravity IP phone (CVE-2022-20968) with publicly available exploit code, leaked in early December 2023.
Cisco’s PSIRT warned at the time that it was “aware that proof-of-concept exploit code is available” and that “the vulnerability has been publicly discussed.”
While the company promised security updates would be released in January 2023, the bug remains unfixed months after the initial disclosure.
Devices affected by CVE-2022-20968 include Cisco IP phones running 7800 and 8800 series firmware versions 14.2 and earlier.
Although Cisco did not provide a workaround for this zero-day IP phone, it advised administrators to apply temporary mitigations, which requires disabling the Cisco Discovery Protocol on affected devices taking supports Link Layer Discovery Protocol (LLDP) as a fallback option.
“This is not a trivial change and it will take due diligence on the company’s part to assess any potential impact to devices as well as the best approach to rolling out this change to their business,” the company had warned at the time.