Security

Cisco Patches High-Severity Vulnerabilities in Analog Telephone Adapters

.Cisco on Wednesday introduced patches for 8 susceptabilities in the firmware of ATA 190 series analog telephone adapters, featuring 2 high-severity defects resulting in arrangement improvements and cross-site demand bogus (CSRF) attacks.Influencing the web-based management interface of the firmware and also tracked as CVE-2024-20458, the 1st bug exists since certain HTTP endpoints are without authentication, permitting remote, unauthenticated aggressors to surf to a particular URL and also sight or even delete setups, or even customize the firmware.The second issue, tracked as CVE-2024-20421, allows distant, unauthenticated opponents to conduct CSRF attacks and also do arbitrary activities on susceptible devices. An attacker may exploit the safety and security issue by encouraging a consumer to click a crafted web link.Cisco likewise covered a medium-severity weakness (CVE-2024-20459) that might permit distant, validated attackers to perform approximate demands along with origin benefits.The continuing to be five safety and security problems, all medium extent, can be manipulated to administer cross-site scripting (XSS) strikes, implement random demands as root, view passwords, tweak device setups or reboot the device, and also function orders with administrator advantages.Depending on to Cisco, ATA 191 (on-premises or even multiplatform) as well as ATA 192 (multiplatform) units are affected. While there are no workarounds available, disabling the online control user interface in the Cisco ATA 191 on-premises firmware alleviates six of the imperfections.Patches for these bugs were actually consisted of in firmware version 12.0.2 for the ATA 191 analog telephone adapters, and also firmware version 11.2.5 for the ATA 191 and 192 multiplatform analog telephone adapters.On Wednesday, Cisco additionally announced spots for 2 medium-severity surveillance issues in the UCS Central Software organization management service and the Unified Call Facility Monitoring Website (Unified CCMP) that could trigger delicate info disclosure and also XSS assaults, respectively.Advertisement. Scroll to continue analysis.Cisco makes no reference of some of these vulnerabilities being actually made use of in the wild. Additional details could be located on the firm's protection advisories page.Connected: Splunk Organization Update Patches Remote Code Execution Vulnerabilities.Related: ICS Patch Tuesday: Advisories Published through Siemens, Schneider, Phoenix Az Call, CERT@VDE.Associated: Cisco to Buy Network Knowledge Company ThousandEyes.Connected: Cisco Patches Essential Vulnerabilities in Prime Structure (PRIVATE EYE) Software.