Security News > 2023 > April > Cisco discloses XSS zero-day flaw in server management tool
Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment software that can be exploited for cross-site scripting attacks.
Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre.
"This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link," Cisco explains.
While Cisco shared info on the flaw's impact, the company will release security updates to address it sometime next month.
Luckily, the Cisco Product Security Incident Response Team has yet to find any evidence of malicious use in the wild and is unaware of public exploit code targeting the bug.
Even though Cisco didn't provide a workaround for this IP Phone zero-day, it advised admins to apply temporary mitigation measures, which requires disabling the Cisco Discovery Protocol on affected devices supporting Link Layer Discovery Protocol as a fallback option.