Chris Watts - Tech Analysis Finds Remote Cisco IP Phone Cross-Site Scripting Vulnerability CVE-2014-3313.

The following Critical Vulnerability was found by Chris Watts of Tech Analysis. Congratulations to Chris for continued efforts in making communications a bit safer.

Cisco Small Business SPA300 and SPA500 Series IP Phones Cross-Site Scripting Vulnerability
Critical Vulnerability ID's: 1) AusCert Alert Number: ESB- 2014.1151, 2) National Vulnerability Database: CVE-2014-3313 3) Cisco ID: CSCuo52582

Summary

A vulnerability in the web user interface of the Cisco Small Business SPA300 and SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack.

The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted URL.


The following products are affected: As per the vulnerability title - The SPA 300 and SPA 500 Series of phones