Strix
26.1K

CVE-2023-20188

MEDIUMCVSS 4.8/10EPSS 0.48%

Last modified

CVE-2023-20188 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. A vulnerability in the web-based management interface of Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, and Cisco Small Business 500 Series Stackable Managed Switches could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. EPSS estimates a 0.48% chance of exploitation in the next 30 days.

Description

A vulnerability in the web-based management interface of Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, and Cisco Small Business 500 Series Stackable Managed Switches could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need to have valid credentials to access the web-based management interface of the affected device. Cisco has not released software updates to address this vulnerability.

Metrics

CVSS 3.1
4.8/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.48%

38.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CiscoSf200-24 Firmware1.4.11.02
CiscoSf200-24fp Firmware1.4.11.02
CiscoSf200-24p Firmware1.4.11.02
CiscoSf200-48 Firmware1.4.11.02
CiscoSf200-48p Firmware1.4.11.02
CiscoSf300-08 Firmware1.4.11.02
CiscoSf300-24 Firmware1.4.11.02
CiscoSf300-24mp Firmware1.4.11.02
CiscoSf300-24p Firmware1.4.11.02
CiscoSf300-24pp Firmware1.4.11.02
CiscoSf300-48 Firmware1.4.11.02
CiscoSf300-48p Firmware1.4.11.02
CiscoSf300-48pp Firmware1.4.11.02
CiscoSf302-08 Firmware1.4.11.02
CiscoSf302-08mp Firmware1.4.11.02
CiscoSf302-08mpp Firmware1.4.11.02
CiscoSf302-08p Firmware1.4.11.02
CiscoSf302-08pp Firmware1.4.11.02
CiscoSf500-24 Firmware1.4.11.02
CiscoSf500-24mp Firmware1.4.11.02
CiscoSf500-24p Firmware1.4.11.02
CiscoSf500-48 Firmware1.4.11.02
CiscoSf500-48mp Firmware1.4.11.02
CiscoSf500-48p Firmware1.4.11.02
CiscoSg200-08 Firmware1.4.11.02
CiscoSg200-08p Firmware1.4.11.02
CiscoSg200-10fp Firmware1.4.11.02
CiscoSg200-18 Firmware1.4.11.02
CiscoSg200-26 Firmware1.4.11.02
CiscoSg200-26fp Firmware1.4.11.02
CiscoSg200-26p Firmware1.4.11.02
CiscoSg200-50 Firmware1.4.11.02
CiscoSg200-50fp Firmware1.4.11.02
CiscoSg200-50p Firmware1.4.11.02
CiscoSg300-10 Firmware1.4.11.02
CiscoSg300-10mp Firmware1.4.11.02
CiscoSg300-10mpp Firmware1.4.11.02
CiscoSg300-10p Firmware1.4.11.02
CiscoSg300-10pp Firmware1.4.11.02
CiscoSg300-10sfp Firmware1.4.11.02
CiscoSg300-20 Firmware1.4.11.02
CiscoSg300-28 Firmware1.4.11.02
CiscoSg300-28mp Firmware1.4.11.02
CiscoSg300-28p Firmware1.4.11.02
CiscoSg300-28pp Firmware1.4.11.02
CiscoSg300-28sfp Firmware1.4.11.02
CiscoSg300-52 Firmware1.4.11.02
CiscoSg300-52mp Firmware1.4.11.02
CiscoSg300-52p Firmware1.4.11.02
CiscoSg500-28 Firmware1.4.11.02

Showing 50 of 122 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-20188?
A vulnerability in the web-based management interface of Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, and Cisco Small Business 500 Series Stackable Managed Switches could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need to have valid credentials to access the web-based management interface of the affected device. Cisco has not released software updates to address this vulnerability.
How severe is CVE-2023-20188?
CVE-2023-20188 has a CVSS score of 4.8/10 (MEDIUM severity). The EPSS model estimates a 0.48% probability of exploitation in the next 30 days.
How do I fix CVE-2023-20188?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-20188?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST