Cisco has reported finding a zero-day flaw in one of its products, which could result in threat actors running malicious code remotely, or stealing sensitive data from target endpoints (opens in new tab).
The vulnerability was found in a product called Prime Collaboration Deployment (PCD), a tool used by IT teams to migrate, or upgrade their servers. The flaw is now tracked as CVE-2023-20060, and is deemed of “Medium” severity with a 6.1 score. It’s described as a cross-site scripting vulnerability that can be abused to launch arbitrary code.
However, the patch is still in development, and there are no workarounds for the issue.
Needs victim interaction
A typical cross-site scripting (XSS) attack is a form of an injection, where the threat actor injects a malicious script into an otherwise legitimate, clean website that the users trust.
“This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link,” Cisco said.
“A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.”
In other words, the vulnerability can be exploited, but it depends on the victim’s action. The attacker would need to persuade the victim to click a specially crafted, malicious link.
The company said a fix is in the works but did not provide any timeline as to when it might get released. There are no workarounds.
While that might sound problematic, the Cisco Product Security Incident Response Team (PSIRT) found no evidence of the flaw being used in the wild.
The flaw was discovered by Pierre Vivegnis of NATO Cyber Security Centre (NCSC), Cisco said in its advisory.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba