CVE-2023-20209

CWE-94 — Code Injection CWE-77 — Command Injection4 documents4 sources

Severity

7.2HIGH

EPSS

31.9%

top 3.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Telepresence Video Communication Server Cisco Cisco Telepresence Video Communication Server (vcs) Expressway

Timeline

PublishedAug 16

Description

A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5cisco/cisco_telepresence_video_communication_server_(vcs)_expressway67 versions+66

▶NVDcisco/telepresence_video_communication_server< 14.3.1

🔴Vulnerability Details

CVEList

CVE-2023-20209: A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a↗2023-08-16

▶

GHSA

GHSA-fqmx-hq6j-36x9: A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a↗2023-08-16

▶

📋Vendor Advisories

Cisco

Cisco Expressway Series and Cisco TelePresence Video Communication Server Command Injection Vulnerability↗2023-08-16

▶