CVE-2022-20774

A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web-based interface of an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform configuration changes on the affected device, resulting in a denial of service (DoS) condition.

CVSS v3 8.1 HIGH
CVSS v2.0 4.9 MEDIUM

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.9^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:P

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-csrf-K56vXvVx	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6871_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6871:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6861_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6861:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6851_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6851:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6841_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6841:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:cisco:ip_phone_6825_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6825:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:cisco:ip_phone_7861_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7861:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:cisco:ip_phone_7841_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7841:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:h:cisco:ip_phone_7832:-:*:*:*:*:*:*:*

cpe:2.3:o:cisco:ip_phone_7832_firmware:*:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:h:cisco:ip_phone_7821:-:*:*:*:*:*:*:*

cpe:2.3:o:cisco:ip_phone_7821_firmware:*:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:h:cisco:ip_phone_7811:-:*:*:*:*:*:*:*

cpe:2.3:o:cisco:ip_phone_7811_firmware:*:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:h:cisco:ip_phone_8865:-:*:*:*:*:*:*:*

cpe:2.3:o:cisco:ip_phone_8865_firmware:*:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:h:cisco:ip_phone_8861:-:*:*:*:*:*:*:*

cpe:2.3:o:cisco:ip_phone_8861_firmware:*:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:h:cisco:ip_phone_8851:-:*:*:*:*:*:*:*

cpe:2.3:o:cisco:ip_phone_8851_firmware:*:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:h:cisco:ip_phone_8845:-:*:*:*:*:*:*:*

cpe:2.3:o:cisco:ip_phone_8845_firmware:*:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8841_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8841:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8832_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8832:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:cisco:ip_phone_8811_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8811:-:*:*:*:*:*:*:*

History

14 Apr 2022, 09:11

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.9 v3 : 8.1
References	~~(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-csrf-K56vXvVx -~~	(CISCO) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-csrf-K56vXvVx - Vendor Advisory
CWE		CWE-352
CPE		cpe:2.3:h:cisco:ip_phone_8861:-:::::::* cpe:2.3:o:cisco:ip_phone_6825_firmware:::::::: cpe:2.3:o:cisco:ip_phone_8811_firmware:::::::: cpe:2.3:h:cisco:ip_phone_7821:-:::::::* cpe:2.3:o:cisco:ip_phone_8851_firmware:::::::: cpe:2.3:o:cisco:ip_phone_8841_firmware:::::::: cpe:2.3:h:cisco:ip_phone_8865:-:::::::* cpe:2.3:o:cisco:ip_phone_7861_firmware:::::::: cpe:2.3:o:cisco:ip_phone_8865_firmware:::::::: cpe:2.3:h:cisco:ip_phone_6851:-:::::::* cpe:2.3:o:cisco:ip_phone_8845_firmware:::::::: cpe:2.3:h:cisco:ip_phone_7861:-:::::::* cpe:2.3:h:cisco:ip_phone_7832:-:::::::* cpe:2.3:o:cisco:ip_phone_6871_firmware:::::::: cpe:2.3:h:cisco:ip_phone_6841:-:::::::* cpe:2.3:o:cisco:ip_phone_7821_firmware:::::::: cpe:2.3:h:cisco:ip_phone_6871:-:::::::* cpe:2.3:o:cisco:ip_phone_7832_firmware:::::::: cpe:2.3:h:cisco:ip_phone_8841:-:::::::* cpe:2.3:h:cisco:ip_phone_6861:-:::::::* cpe:2.3:h:cisco:ip_phone_7841:-:::::::* cpe:2.3:h:cisco:ip_phone_8851:-:::::::* cpe:2.3:o:cisco:ip_phone_8832_firmware:::::::: cpe:2.3:o:cisco:ip_phone_6851_firmware:::::::: cpe:2.3:o:cisco:ip_phone_7841_firmware:::::::: cpe:2.3:h:cisco:ip_phone_6825:-:::::::* cpe:2.3:o:cisco:ip_phone_6861_firmware:::::::: cpe:2.3:h:cisco:ip_phone_7811:-:::::::* cpe:2.3:o:cisco:ip_phone_7811_firmware:::::::: cpe:2.3:o:cisco:ip_phone_8861_firmware:::::::: cpe:2.3:h:cisco:ip_phone_8845:-:::::::* cpe:2.3:h:cisco:ip_phone_8811:-:::::::* cpe:2.3:o:cisco:ip_phone_6841_firmware:::::::: cpe:2.3:h:cisco:ip_phone_8832:-:::::::*

06 Apr 2022, 19:22

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-04-06 19:15

Updated : 2024-02-04 22:29

NVD link : CVE-2022-20774

Mitre link : CVE-2022-20774

CVE.ORG link : CVE-2022-20774

JSON object : View

Products Affected

cisco

ip_phone_6841
ip_phone_7821_firmware
ip_phone_7811
ip_phone_7861_firmware
ip_phone_7841_firmware
ip_phone_8811_firmware
ip_phone_6871
ip_phone_6841_firmware
ip_phone_6861_firmware
ip_phone_6825_firmware
ip_phone_8865
ip_phone_8845
ip_phone_7861
ip_phone_7841
ip_phone_6825
ip_phone_8841
ip_phone_6871_firmware
ip_phone_7832
ip_phone_8851
ip_phone_8841_firmware
ip_phone_8861_firmware
ip_phone_6861
ip_phone_6851
ip_phone_6851_firmware
ip_phone_8861
ip_phone_8851_firmware
ip_phone_8811
ip_phone_8845_firmware
ip_phone_7811_firmware
ip_phone_7821
ip_phone_8865_firmware
ip_phone_8832_firmware
ip_phone_8832
ip_phone_7832_firmware

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-345

Insufficient Verification of Data Authenticity

8.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.9 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2022-20774

8.1^/10

4.9^/10

Attach tags to `CVE-2022-20774`