Home

Description

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco SIP Software could allow an unauthenticated, remote attacker to conduct XSS attacks against a user of the web UI. This vulnerability exists because the web UI of an affected device does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, the phone must be registered to Cisco Unified Communications Manager and have Web Access enabled. Web Access is disabled by default.

PUBLISHED Reserved 2024-10-10 | Published 2025-10-15 | Updated 2025-10-15 | Assigner cisco




MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unknown

12.1(1)SR1
affected

11.5(1)
affected

10.3(2)
affected

10.2(2)
affected

10.3(1)
affected

10.3(1)SR4
affected

11.0(1)
affected

10.4(1)SR2 3rd Party
affected

11.7(1)
affected

12.1(1)
affected

11.0(0.7) MPP
affected

9.3(4) 3rd Party
affected

12.5(1)SR2
affected

10.2(1)SR1
affected

9.3(4)SR3 3rd Party
affected

10.2(1)
affected

12.5(1)
affected

10.3(1)SR2
affected

11-0-1MSR1-1
affected

10.4(1) 3rd Party
affected

12.5(1)SR1
affected

11.5(1)SR1
affected

10.1(1)SR2
affected

12.0(1)SR2
affected

12.6(1)
affected

10.3(1.11) 3rd Party
affected

12.0(1)
affected

12.0(1)SR1
affected

9.3(3)
affected

12.5(1)SR3
affected

10.3(1)SR4b
affected

9.3(4)SR1 3rd Party
affected

10.3(1)SR5
affected

10.1(1.9)
affected

10.3(1.9) 3rd Party
affected

9.3(4)SR2 3rd Party
affected

10.3(1)SR1
affected

10.3(1)SR3
affected

10.1(1)SR1
affected

12.0(1)SR3
affected

12.6(1)SR1
affected

12.7(1)
affected

10.3(1)SR6
affected

12.8(1)
affected

12.7(1)SR1
affected

11.0(2)SR1
affected

11.0(4)
affected

11.0(2)
affected

11.0(4)SR3
affected

11.0(5)
affected

11.0(3)SR2
affected

11.0(3)SR4
affected

11.0(3)SR3
affected

11.0(2)SR2
affected

11.0(4)SR1
affected

11.0(5)SR3
affected

11.0(3)
affected

11.0(5)SR2
affected

11.0(3)SR6
affected

11.0(5)SR1
affected

11.0(4)SR2
affected

11.0(3)SR1
affected

11.0(3)SR5
affected

11.0(6)
affected

12.8(1)SR1
affected

12.8(1)SR2
affected

14.0(1)
affected

14.0(1)SR1
affected

11.0(6)SR1
affected

10.3(1)SR7
affected

14.0(1)SR2
affected

14.1(1)
affected

14.0(1)SR3
affected

11.0(6)SR2
affected

14.1(1)SR1
affected

14.1(1)SR2
affected

11.0(6)SR4
affected

14.2(1)
affected

14.2(1)SR1
affected

11.0(6)SR5
affected

14.1(1)SR3
affected

14.2(1)SR2
affected

3.1(1)
affected

3.0(1)
affected

2.3(1)
affected

2.3(1)SR1
affected

2.2(1)
affected

2.1(1)
affected

2.0(1)
affected

14.2(1)SR3
affected

3.1(1)SR1
affected

14.3(1)
affected

3.2(1)
affected

14.3(1)SR1
affected

14.2(1)SR4
affected

11.0(6)SR6
affected

14.3(1)SR2
affected

14.3(1)SR3
affected

References

sec.cloudapps.cisco.com/...isory/cisco-sa-phone-dos-FPyjLV7A (cisco-sa-phone-dos-FPyjLV7A)

cve.org (CVE-2025-20351)

nvd.nist.gov (CVE-2025-20351)

Download JSON