Security Advisory

Cisco Family January 2024 First Security Update Advisory

  • Jan 10 2024

Overview

 

Cisco(https://www.cisco.com) has released a security update that fixes vulnerabilities in products. Users of affected systems are advised to update to the latest version.

 

Affected Products

 

Cisco BroadWorks

Cisco Business Wireless Access Point Software

Cisco Identity Services Engine Software

Cisco TelePresence Management Suite (TMS)

Cisco ThousandEyes Recorder Application

Cisco Unity Connection

 

Resolved Vulnerabilities

 

Vulnerability in Cisco Unity Connection to store malicious files on the system due to lack of authentication in certain APIs and improper validation of user-supplied data (CVE-2024-20272, CVSS 7.3) [1]

Vulnerability in Cisco ThousandEyes Recorder Application due to lack of validation of user input, which could allow elevation of privileges to the administrator level (CVE-2024-20277, CVSS 6.8) [2]

Vulnerability in Cisco Business Wireless Access Point Software due to lack of user input validation, allowing arbitrary command execution (CVE-2024-20287, CVSS 6.5) [3]

Vulnerability in Cisco TelePresence Management Suite (TMS) due to lack of input validation, allowing arbitrary script command execution (CVE-2023-20249 and 1 other, CVSS 5.4) [4]

Vulnerability in Cisco Identity Services Engine Software in the web-based administration feature due to lack of validation of user input, which could allow arbitrary script command execution (CVE-2024-20251, CVSS 4.8) [5]

Vulnerability in Cisco BroadWorks due to lack of validation of user input in web-based administration functionality, which could allow arbitrary script command execution (CVE-2024-20270, CVSS 4.8) [6]

 

Vulnerability Patches

 

Product-specific vulnerability patches were made available in the 01/10/2024 update. Please refer to the “Affected Products” and “Fixed Software” in the product-specific information in the reference site below to apply the patches.

 

Referenced Sites

 

[1] Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD

[2] Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thouseyes-privesc-DmzHG3Qv

[3] Cisco WAP371 Wireless Access Point Command Injection Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-inject-bHStWgXO

[4] Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tms-portal-xss-AXNeVg3s

[5] Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ISE-XSS-bL4VTML

[6] Cisco BroadWorks Application Delivery Platform and Xtended Services Platform Stored Cross-Site Scripting Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-broadworks-xss-6syj82Ju

Tags:

Previous Post

Next Post