Cisco has reported finding a zero-day flaw in one of its products, which could result in threat actors running malicious code remotely, or stealing sensitive data from target endpoints.
The vulnerability was found in a product called Prime Collaboration Deployment (PCD), a tool used by IT teams to migrate, or upgrade their servers. The flaw is now tracked as CVE-2023-20060, and is deemed of “Medium” severity with a 6.1 score. It’s described as a cross-site scripting vulnerability that can be abused to launch arbitrary code.
However, the patch is still in development, and there are no workarounds for the issue.
Needs victim interaction
A typical cross-site scripting (XSS) attack is a form of an injection, where the threat actor injects a malicious script into an otherwise legitimate, clean website that the users trust.
"This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link," Cisco said.
"A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information."
In other words, the vulnerability can be exploited, but it depends on the victim’s action. The attacker would need to persuade the victim to click a specially crafted, malicious link.
The company said a fix is in the works but did not provide any timeline as to when it might get released. There are no workarounds.
While that might sound problematic, the Cisco Product Security Incident Response Team (PSIRT) found no evidence of the flaw being used in the wild.
The flaw was discovered by Pierre Vivegnis of NATO Cyber Security Centre (NCSC), Cisco said in its advisory.
- These are the best firewalls around