CVE-2024-20533 - Vulnerability Details

CVE-2024-20533 - Cisco IP Phone 6800, 7800, 8800, and 9800 Series with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cisco	Desk Phone 9841 Desk Phone 9841 With Multiplatform Firmware Desk Phone 9851 Desk Phone 9851 With Multiplatform Firmware Desk Phone 9861 Desk Phone 9861 With Multiplatform Firmware Desk Phone 9871 Desk Phone 9871 With Multiplatform Firmware Ip Phone 6821 Ip Phone 6821 With Multiplatform Firmware Ip Phone 6841 Ip Phone 6841 With Multiplatform Firmware Ip Phone 6851 Ip Phone 6851 With Multiplatform Firmware Ip Phone 6861 Ip Phone 6861 With Multiplatform Firmware Ip Phone 6871 Ip Phone 6871 With Multiplatform Firmware Ip Phone 7811 Ip Phone 7811 With Multiplatform Firmware Ip Phone 7821 Ip Phone 7821 With Multiplatform Firmware Ip Phone 7832 Ip Phone 7832 With Multiplatform Firmware Ip Phone 7841 Ip Phone 7841 With Multiplatform Firmware Ip Phone 7861 Ip Phone 7861 With Multiplatform Firmware Ip Phone 8811 Ip Phone 8811 With Multiplatform Firmware Ip Phone 8831 Ip Phone 8831 With Multiplatform Firmware Ip Phone 8832 Ip Phone 8832 With Multiplatform Firmware Ip Phone 8841 Ip Phone 8841 With Multiplatform Firmware Ip Phone 8845 Ip Phone 8845 With Multiplatform Firmware Ip Phone 8851 Ip Phone 8851 With Multiplatform Firmware Ip Phone 8861 Ip Phone 8861 With Multiplatform Firmware Ip Phone 8865 Ip Phone 8865 With Multiplatform Firmware Video Phone 8875 Video Phone 8875 With Multiplatform Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:cisco:desk_phone_9841_with_multiplatform_firmware:3.1\(1\):-::::::
	cpe:2.3:o:cisco:desk_phone_9841_with_multiplatform_firmware:3.1\(1\):sr1::::::

cpe:2.3:h:cisco:desk_phone_9841:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:o:cisco:desk_phone_9851_with_multiplatform_firmware:3.1\(1\):-::::::
	cpe:2.3:o:cisco:desk_phone_9851_with_multiplatform_firmware:3.1\(1\):sr1::::::

cpe:2.3:h:cisco:desk_phone_9851:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

OR	cpe:2.3:o:cisco:desk_phone_9861_with_multiplatform_firmware:3.1\(1\):-::::::
	cpe:2.3:o:cisco:desk_phone_9861_with_multiplatform_firmware:3.1\(1\):sr1::::::

cpe:2.3:h:cisco:desk_phone_9861:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

OR	cpe:2.3:o:cisco:desk_phone_9871_with_multiplatform_firmware:3.1\(1\):-::::::
	cpe:2.3:o:cisco:desk_phone_9871_with_multiplatform_firmware:3.1\(1\):sr1::::::

cpe:2.3:h:cisco:desk_phone_9871:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:cisco:ip_phone_6821_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6821:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:cisco:ip_phone_6841_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6841:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:cisco:ip_phone_6851_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6851:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:cisco:ip_phone_6861_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6861:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:cisco:ip_phone_6871_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_6871:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:cisco:ip_phone_7811_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7811:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:cisco:ip_phone_7821_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7821:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:cisco:ip_phone_7832_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7832:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:cisco:ip_phone_7841_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7841:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:cisco:ip_phone_7861_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_7861:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:cisco:ip_phone_8811_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8811:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:cisco:ip_phone_8832_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8832:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:cisco:ip_phone_8841_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8841:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:cisco:ip_phone_8845_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8845:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:cisco:ip_phone_8851_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8851:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND

cpe:2.3:o:cisco:ip_phone_8861_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8861:-:*:*:*:*:*:*:*

Configuration 21 [-]

AND

cpe:2.3:o:cisco:ip_phone_8865_with_multiplatform_firmware:12.0\(5\):sr1:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8865:-:*:*:*:*:*:*:*

Configuration 22 [-]

AND

OR	cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware::-::::::*
	cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware:2.3\(1\):-::::::
	cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware:2.3\(1\):sr1::::::

cpe:2.3:h:cisco:video_phone_8875:-:*:*:*:*:*:*:*

Configuration 23 [-]

AND

cpe:2.3:o:cisco:ip_phone_8831_with_multiplatform_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:cisco:ip_phone_8831:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mpp-xss-8tAV2TvF

History

Mon, 05 Jan 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco desk Phone 9841 Cisco desk Phone 9841 With Multiplatform Firmware Cisco desk Phone 9851 Cisco desk Phone 9851 With Multiplatform Firmware Cisco desk Phone 9861 Cisco desk Phone 9861 With Multiplatform Firmware Cisco desk Phone 9871 Cisco desk Phone 9871 With Multiplatform Firmware Cisco ip Phone 6821 Cisco ip Phone 6821 With Multiplatform Firmware Cisco ip Phone 6841 Cisco ip Phone 6841 With Multiplatform Firmware Cisco ip Phone 6851 Cisco ip Phone 6851 With Multiplatform Firmware Cisco ip Phone 6861 Cisco ip Phone 6861 With Multiplatform Firmware Cisco ip Phone 6871 Cisco ip Phone 6871 With Multiplatform Firmware Cisco ip Phone 7811 Cisco ip Phone 7811 With Multiplatform Firmware Cisco ip Phone 7821 Cisco ip Phone 7821 With Multiplatform Firmware Cisco ip Phone 7832 Cisco ip Phone 7832 With Multiplatform Firmware Cisco ip Phone 7841 Cisco ip Phone 7841 With Multiplatform Firmware Cisco ip Phone 7861 Cisco ip Phone 7861 With Multiplatform Firmware Cisco ip Phone 8811 Cisco ip Phone 8811 With Multiplatform Firmware Cisco ip Phone 8831 Cisco ip Phone 8831 With Multiplatform Firmware Cisco ip Phone 8832 Cisco ip Phone 8832 With Multiplatform Firmware Cisco ip Phone 8841 Cisco ip Phone 8841 With Multiplatform Firmware Cisco ip Phone 8845 Cisco ip Phone 8845 With Multiplatform Firmware Cisco ip Phone 8851 Cisco ip Phone 8851 With Multiplatform Firmware Cisco ip Phone 8861 Cisco ip Phone 8861 With Multiplatform Firmware Cisco ip Phone 8865 Cisco ip Phone 8865 With Multiplatform Firmware Cisco video Phone 8875 Cisco video Phone 8875 With Multiplatform Firmware
CPEs		cpe:2.3:h:cisco:desk_phone_9841:-:::::::* cpe:2.3:h:cisco:desk_phone_9851:-:::::::* cpe:2.3:h:cisco:desk_phone_9861:-:::::::* cpe:2.3:h:cisco:desk_phone_9871:-:::::::* cpe:2.3:h:cisco:ip_phone_6821:-:::::::* cpe:2.3:h:cisco:ip_phone_6841:-:::::::* cpe:2.3:h:cisco:ip_phone_6851:-:::::::* cpe:2.3:h:cisco:ip_phone_6861:-:::::::* cpe:2.3:h:cisco:ip_phone_6871:-:::::::* cpe:2.3:h:cisco:ip_phone_7811:-:::::::* cpe:2.3:h:cisco:ip_phone_7821:-:::::::* cpe:2.3:h:cisco:ip_phone_7832:-:::::::* cpe:2.3:h:cisco:ip_phone_7841:-:::::::* cpe:2.3:h:cisco:ip_phone_7861:-:::::::* cpe:2.3:h:cisco:ip_phone_8811:-:::::::* cpe:2.3:h:cisco:ip_phone_8831:-:::::::* cpe:2.3:h:cisco:ip_phone_8832:-:::::::* cpe:2.3:h:cisco:ip_phone_8841:-:::::::* cpe:2.3:h:cisco:ip_phone_8845:-:::::::* cpe:2.3:h:cisco:ip_phone_8851:-:::::::* cpe:2.3:h:cisco:ip_phone_8861:-:::::::* cpe:2.3:h:cisco:ip_phone_8865:-:::::::* cpe:2.3:h:cisco:video_phone_8875:-:::::::* cpe:2.3:o:cisco:desk_phone_9841_with_multiplatform_firmware:3.1\(1\):-:::::: cpe:2.3:o:cisco:desk_phone_9841_with_multiplatform_firmware:3.1\(1\):sr1:::::: cpe:2.3:o:cisco:desk_phone_9851_with_multiplatform_firmware:3.1\(1\):-:::::: cpe:2.3:o:cisco:desk_phone_9851_with_multiplatform_firmware:3.1\(1\):sr1:::::: cpe:2.3:o:cisco:desk_phone_9861_with_multiplatform_firmware:3.1\(1\):-:::::: cpe:2.3:o:cisco:desk_phone_9861_with_multiplatform_firmware:3.1\(1\):sr1:::::: cpe:2.3:o:cisco:desk_phone_9871_with_multiplatform_firmware:3.1\(1\):-:::::: cpe:2.3:o:cisco:desk_phone_9871_with_multiplatform_firmware:3.1\(1\):sr1:::::: cpe:2.3:o:cisco:ip_phone_6821_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_6841_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_6851_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_6861_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_6871_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_7811_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_7821_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_7832_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_7841_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_7861_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_8811_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_8831_with_multiplatform_firmware:-:::::::* cpe:2.3:o:cisco:ip_phone_8832_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_8841_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_8845_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_8851_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_8861_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:ip_phone_8865_with_multiplatform_firmware:12.0\(5\):sr1:::::: cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware::-::::::* cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware:2.3\(1\):-:::::: cpe:2.3:o:cisco:video_phone_8875_with_multiplatform_firmware:2.3\(1\):sr1::::::
Vendors & Products		Cisco Cisco desk Phone 9841 Cisco desk Phone 9841 With Multiplatform Firmware Cisco desk Phone 9851 Cisco desk Phone 9851 With Multiplatform Firmware Cisco desk Phone 9861 Cisco desk Phone 9861 With Multiplatform Firmware Cisco desk Phone 9871 Cisco desk Phone 9871 With Multiplatform Firmware Cisco ip Phone 6821 Cisco ip Phone 6821 With Multiplatform Firmware Cisco ip Phone 6841 Cisco ip Phone 6841 With Multiplatform Firmware Cisco ip Phone 6851 Cisco ip Phone 6851 With Multiplatform Firmware Cisco ip Phone 6861 Cisco ip Phone 6861 With Multiplatform Firmware Cisco ip Phone 6871 Cisco ip Phone 6871 With Multiplatform Firmware Cisco ip Phone 7811 Cisco ip Phone 7811 With Multiplatform Firmware Cisco ip Phone 7821 Cisco ip Phone 7821 With Multiplatform Firmware Cisco ip Phone 7832 Cisco ip Phone 7832 With Multiplatform Firmware Cisco ip Phone 7841 Cisco ip Phone 7841 With Multiplatform Firmware Cisco ip Phone 7861 Cisco ip Phone 7861 With Multiplatform Firmware Cisco ip Phone 8811 Cisco ip Phone 8811 With Multiplatform Firmware Cisco ip Phone 8831 Cisco ip Phone 8831 With Multiplatform Firmware Cisco ip Phone 8832 Cisco ip Phone 8832 With Multiplatform Firmware Cisco ip Phone 8841 Cisco ip Phone 8841 With Multiplatform Firmware Cisco ip Phone 8845 Cisco ip Phone 8845 With Multiplatform Firmware Cisco ip Phone 8851 Cisco ip Phone 8851 With Multiplatform Firmware Cisco ip Phone 8861 Cisco ip Phone 8861 With Multiplatform Firmware Cisco ip Phone 8865 Cisco ip Phone 8865 With Multiplatform Firmware Cisco video Phone 8875 Cisco video Phone 8875 With Multiplatform Firmware

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00047}`	epss `{'score': 0.00051}`

Wed, 06 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 06 Nov 2024 17:00:00 +0000

Type	Values Removed	Values Added
Description	Multiple vulnerabilities in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. These vulnerabilities exist because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit these vulnerabilities, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.	A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.

Wed, 06 Nov 2024 16:45:00 +0000

Type	Values Removed	Values Added
Description		Multiple vulnerabilities in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. These vulnerabilities exist because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit these vulnerabilities, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default.
Title		Cisco IP Phone 6800, 7800, 8800, and 9800 Series with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
Weaknesses		CWE-79
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mpp-xss-8tAV2TvF
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2024-11-06T16:31:21.072Z

Updated: 2024-11-06T17:00:38.504Z

Reserved: 2023-11-08T15:08:07.692Z

Link: CVE-2024-20533

Vulnrichment

Updated: 2024-11-06T17:00:35.339Z

NVD

Status : Analyzed

Published: 2024-11-06T17:15:18.700

Modified: 2026-01-05T14:50:17.470

Link: CVE-2024-20533

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object