Cisco Family November 2024 First Round Security Update Advisory
Overview
Cisco(https://www.cisco.com) has released a security update that fixes vulnerabilities in products it has been made. Users of affected systems are advised to update to the latest version.
Affected Products
Cisco Aironet Access Point Software (IOS XE Controller)
Cisco Data Center Network Manager
Cisco Meeting Management
Cisco Secure Email
Cisco Secure Email and Web Manager
Cisco Secure Web Appliance
Cisco Unified Communications Manager
Cisco Unified Communications Manager IM and Presence Service
Cisco Unified Contact Center Management Portal
Resolved Vulnerabilities
Vulnerability in Cisco Data Center Network Manager due to Insufficient Validation of User Input to Read (CVE-2024-20536, CVSS 8.8) [1]
Vulnerability in Cisco Unified Communications Manager IM and Presence Service to access sensitive information on a device due to the storage of unencrypted credentials in certain logs (CVE-2024-20457, CVSS 6.5) [2]
Vulnerability in Cisco Unified Communications Manager due to insufficient validation of user input in web-based administration features, which could allow arbitrary script command execution (CVE-2024-20511, CVSS 6.1) [3]
Vulnerability in Cisco Unified Contact Center Management Portal due to insufficient validation of user input in web-based administration functionality, which could allow arbitrary script command execution (CVE-2024-20540, CVSS 5.4) [4]
Vulnerability in Cisco Secure Email, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance due to lack of data validation, which could allow arbitrary script command execution (CVE-2024-20504, CVSS 5.4) [5]
Vulnerability in Cisco Meeting Management due to improper storage of sensitive information within the web-based management interface of an affected device, which could allow viewing of sensitive data stored on the affected device (CVE-2024-20507, CVSS 4.3) [6]
Vulnerability in Cisco Aironet Access Point Software (IOS XE Controller) that could allow arbitrary command execution due to improper validation of input to the web-based management interface (CVE-2024-20418, CVSS 10.0) [7]
Vulnerability Patches
Product-specific Vulnerability Patches were made available in the November 07, 2024 update. Please refer to the ‘Affected Products’ and ‘Fixed Software’ in the product-specific information in the Referenced Sites below to apply the patches.
Referenced Sites
[1] Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability
[2] Cisco Unified Communications Manager IM & Presence Service Information Disclosure Vulnerability
[3] Cisco Unified Communications Manager Cross-Site Scripting Vulnerability
[4] Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability
[5] Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance Stored Cross-Site Scripting Vulnerability
[6] Cisco Meeting Management Information Disclosure Vulnerability
[7] Cisco Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul Access Point Command Injection Vulnerability