Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-15434

A vulnerability in the web-based management interface of Cisco Unified IP Phone 7900 Series could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 6.1, indicating it can be exploited remotely over the network with relatively low complexity though user interaction is required and does not require pre-existing privileges . The vulnerability impacts limited data confidentiality, limited integrity, for affected systems. Impacting 23 products from cisco, from cisco, from cisco and 20 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2018, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2018-10-05T14:29:12.233

Last Modified

2024-11-21T03:50:47.400

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: NONE
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

8.6

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-79
  • Type: Primary
    CWE-79
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System cisco skinny_client_control_protocol_software 9.4\(2\) Yes
Hardware cisco unified_ip_phones_7906g * No
Hardware cisco unified_ip_phones_7911g * No
Hardware cisco unified_ip_phones_7912g * No
Hardware cisco unified_ip_phones_7920_multi-charger * No
Hardware cisco unified_ip_phones_7921g * No
Hardware cisco unified_ip_phones_7925g * No
Hardware cisco unified_ip_phones_7925g-ex * No
Hardware cisco unified_ip_phones_7926g * No
Hardware cisco unified_ip_phones_7931g * No
Hardware cisco unified_ip_phones_7940g * No
Hardware cisco unified_ip_phones_7941g * No
Hardware cisco unified_ip_phones_7942g * No
Hardware cisco unified_ip_phones_7945g * No
Hardware cisco unified_ip_phones_7960g * No
Hardware cisco unified_ip_phones_7961g * No
Hardware cisco unified_ip_phones_7962g * No
Hardware cisco unified_ip_phones_7965g * No
Hardware cisco unified_ip_phones_7975g * No
Hardware cisco unified_ip_phones_conference_station_7936 * No
Hardware cisco unified_ip_phones_conference_station_7937g * No
Hardware cisco unified_ip_phones_expansion_module_7915 * No
Hardware cisco unified_ip_phones_expansion_module_7916 * No
References

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For cisco's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.