Cisco Family October 2024 3rd Security Update Advisory
Overview
Cisco(https://www.cisco.com) has released a security update that fixes vulnerabilities in products it has been made. Users of affected systems are advised to update to the latest version.
Affected Products
Cisco Analog Telephone Adaptor (ATA) Software
Cisco Unified Computing System Central Software
Cisco Unified Contact Center Management Portal
Resolved Vulnerabilities
Vulnerability in Cisco Analog Telephone Adaptor (ATA) Software to view or delete configurations or change firmware due to lack of authentication to certain HTTP endpoints (CVE-2024-20458, CVSS 8.2) [1]
Vulnerability in Cisco Analog Telephone Adaptor (ATA) Software due to insufficient CSRF protection in the web-based management interface, which could allow arbitrary attacker commands (CVE-2024-20421, CVSS 7.1) [2]
Vulnerability in the cryptographic method used for the backup function in Cisco Unified Computing System Central Software that could allow an attacker to access backup files to obtain sensitive information stored in the full state backup file and the configuration backup file (CVE-2024-20280, CVSS 6.3) [3]
Vulnerability in Cisco Unified Contact Center Management Portal due to insufficient validation of user input in the web-based administration feature, which could allow arbitrary script command execution (CVE-2024-20512, CVSS 6.1) [4]
Vulnerability Patches
Product-specific Vulnerability Patches were made available in the October 16, 2024 update. Please refer to the ‘Affected Products’ and ‘Fixed Software’ in the product-specific information in the Referenced Sites below to apply the patches.
Referenced Sites
[1] Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities
[2] Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities
[3] Cisco UCS Central Software Configuration Backup Information Disclosure Vulnerability
[4] Cisco Unified Contact Center Management Portal Reflected Cross-Site Scripting Vulnerability