CVE-2024-20460

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Published: Oct 16, 2024 / Updated: 34d ago

010
CVSS 6.1EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to click a crafted link.

Impact

A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information on an affected device. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium severity), with low impact on confidentiality and integrity, but no impact on availability. The attack vector is network-based, requires low attack complexity, and user interaction is necessary for exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vulnerability data does not provide specific information about the availability of a patch.

Mitigation

While specific mitigation steps are not provided in the vulnerability data, general best practices for XSS vulnerabilities should be applied. This may include input validation, output encoding, and implementing Content Security Policy (CSP) headers. Users should be cautioned against clicking on untrusted links, especially those related to the management interface of the Cisco ATA 190 Series Analog Telephone Adapter.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-20460

Oct 16, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-20460. See article

Oct 16, 2024 at 5:20 PM / #vulnerability
CVSS

A CVSS base score of 6.1 has been assigned.

Oct 16, 2024 at 5:20 PM / nvd
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 16, 2024 at 5:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 17, 2024 at 10:03 AM
Threat Intelligence Report

CVE-2024-20460 is a cross-site vulnerability that requires an attacker to redirect an administrator’s browser to malicious URLs, potentially compromising the administrative interface of Cisco's ATA 190 Series devices. The criticality of this vulnerability is underscored by its potential to facilitate further attacks, although specific details regarding CVSS scores, exploitation in the wild, proof-of-concept exploits, mitigations, or downstream impacts are not provided in the available information. Cisco has addressed this and other vulnerabilities in their recent updates, but further details on patches or detections are not mentioned. See article

Oct 25, 2024 at 12:45 PM
Static CVE Timeline Graph

Affected Systems

Cisco/ata_192_firmware
+null more

Patches

sec.cloudapps.cisco.com
+null more

Attack Patterns

CAPEC-18: XSS Targeting Non-Script Elements
+null more

References

Select at least one checkbox to view vulnerabilities that affect Cisco products
Summary: Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow a remote attacker to conduct an authorization bypass attack and cross-site scripting (XSS) attacks against a user of the web-based management interface on an affected device.For more information about these Read More... Summary: Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface, perform a path traversal attack, read and delete arbitrary files on an affected device, or conduct a Read More...
Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities
A vulnerability in the web-based management interface of Cisco ATA 190 Multiplatform Series Analog Telephone Adapter firmware could allow an authenticated, remote attacker with high privileges to execute arbitrary commands as the root user on the underlying operating system. A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.
Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities
Multiple vulnerabilities in Cisco ATA 190 Series Analog Telephone Adapter firmware, both on-premises and multiplatform, could allow a remote attacker to delete or change the configuration, execute commands as the root user, conduct a cross-site scripting (XSS) attack against a user of the interface , view passwords, conduct a cross-site request forgery (CSRF) attack, or reboot the device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released firmware updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. However, there is a mitigation that addresses some of these vulnerabilities for Cisco ATA 191 on-premises firmware only. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy Security Impact Rating: High CVE: CVE-2024-20420,CVE-2024-20421,CVE-2024-20458,CVE-2024-20459,CVE-2024-20460,CVE-2024-20461,CVE-2024-20462,CVE-2024-20463
See 2 more references

News

Select at least one checkbox to view vulnerabilities that affect Cisco products
Summary: Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow a remote attacker to conduct an authorization bypass attack and cross-site scripting (XSS) attacks against a user of the web-based management interface on an affected device.For more information about these Read More... Summary: Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface, perform a path traversal attack, read and delete arbitrary files on an affected device, or conduct a Read More...
[RTCSec news] October 2024 - WebRTC app vulnerabilities at DEF CON 32, SIP URI security, VoIP product fixes
3 years of newsletter, a new white paper about a WebRTC implementation vulnerability, DEF CON 32 talks that mention WebRTC, a fake FBI-run phone company and SIP URI parsing vulnerabilities, various vulnerabilities fixed in Cisco ATA devices, Mitel, VICIDial, and more October 2024 - WebRTC app vulnerabilities at DEF CON 32, SIP URI security, VoIP product fixes
Cisco ATA 190 Series Analog Telephone Adapter Firmware Flaws Exposed: Patch Now!
These vulnerabilities present a significant risk to affected devices, potentially allowing attackers to gain unauthorized access, manipulate device configurations, execute commands as a root user, and even cause denial of service (DoS). Another serious vulnerability, CVE-2024-20459, enables an authenticated attacker with high privileges to execute arbitrary commands as the root user on the underlying operating system.
CVE Alert: CVE-2024-20460 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-20460/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_20460
CVE Alert: CVE-2024-20460
A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user. An attacker could exploit this vulnerability by persuading a user to click a crafted link.
See 12 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI