Refine your search
1 vulnerability found for Cisco TelePresence Video Communication Server (VCS) Expressway by Cisco
CVE-2023-20209 (GCVE-0-2023-20209)
Vulnerability from cvelistv5
Published
2023-08-16 20:59
Modified
2025-12-16 18:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco TelePresence Video Communication Server (VCS) Expressway |
Version: X8.5.1 Version: X8.5.3 Version: X8.5 Version: X8.6.1 Version: X8.6 Version: X8.1.1 Version: X8.1.2 Version: X8.1 Version: X8.2.1 Version: X8.2.2 Version: X8.2 Version: X8.7.1 Version: X8.7.2 Version: X8.7.3 Version: X8.7 Version: X8.8.1 Version: X8.8.2 Version: X8.8.3 Version: X8.8 Version: X8.9.1 Version: X8.9.2 Version: X8.9 Version: X8.10.0 Version: X8.10.1 Version: X8.10.2 Version: X8.10.3 Version: X8.10.4 Version: X12.5.8 Version: X12.5.9 Version: X12.5.0 Version: X12.5.2 Version: X12.5.7 Version: X12.5.3 Version: X12.5.4 Version: X12.5.5 Version: X12.5.1 Version: X12.5.6 Version: X12.6.0 Version: X12.6.1 Version: X12.6.2 Version: X12.6.3 Version: X12.6.4 Version: X12.7.0 Version: X12.7.1 Version: X8.11.1 Version: X8.11.2 Version: X8.11.4 Version: X8.11.3 Version: X8.11.0 Version: X14.0.1 Version: X14.0.3 Version: X14.0.2 Version: X14.0.4 Version: X14.0.5 Version: X14.0.6 Version: X14.0.7 Version: X14.0.8 Version: X14.0.9 Version: X14.0.10 Version: X14.0.11 Version: X14.2.1 Version: X14.2.2 Version: X14.2.5 Version: X14.2.6 Version: X14.2.0 Version: X14.2.7 Version: X14.3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:05:35.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "cisco-sa-expressway-injection-X475EbTQ",
"tags": [
"x_transferred"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-injection-X475EbTQ"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20209",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T14:25:12.682012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T18:23:20.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco TelePresence Video Communication Server (VCS) Expressway",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "X8.5.1"
},
{
"status": "affected",
"version": "X8.5.3"
},
{
"status": "affected",
"version": "X8.5"
},
{
"status": "affected",
"version": "X8.6.1"
},
{
"status": "affected",
"version": "X8.6"
},
{
"status": "affected",
"version": "X8.1.1"
},
{
"status": "affected",
"version": "X8.1.2"
},
{
"status": "affected",
"version": "X8.1"
},
{
"status": "affected",
"version": "X8.2.1"
},
{
"status": "affected",
"version": "X8.2.2"
},
{
"status": "affected",
"version": "X8.2"
},
{
"status": "affected",
"version": "X8.7.1"
},
{
"status": "affected",
"version": "X8.7.2"
},
{
"status": "affected",
"version": "X8.7.3"
},
{
"status": "affected",
"version": "X8.7"
},
{
"status": "affected",
"version": "X8.8.1"
},
{
"status": "affected",
"version": "X8.8.2"
},
{
"status": "affected",
"version": "X8.8.3"
},
{
"status": "affected",
"version": "X8.8"
},
{
"status": "affected",
"version": "X8.9.1"
},
{
"status": "affected",
"version": "X8.9.2"
},
{
"status": "affected",
"version": "X8.9"
},
{
"status": "affected",
"version": "X8.10.0"
},
{
"status": "affected",
"version": "X8.10.1"
},
{
"status": "affected",
"version": "X8.10.2"
},
{
"status": "affected",
"version": "X8.10.3"
},
{
"status": "affected",
"version": "X8.10.4"
},
{
"status": "affected",
"version": "X12.5.8"
},
{
"status": "affected",
"version": "X12.5.9"
},
{
"status": "affected",
"version": "X12.5.0"
},
{
"status": "affected",
"version": "X12.5.2"
},
{
"status": "affected",
"version": "X12.5.7"
},
{
"status": "affected",
"version": "X12.5.3"
},
{
"status": "affected",
"version": "X12.5.4"
},
{
"status": "affected",
"version": "X12.5.5"
},
{
"status": "affected",
"version": "X12.5.1"
},
{
"status": "affected",
"version": "X12.5.6"
},
{
"status": "affected",
"version": "X12.6.0"
},
{
"status": "affected",
"version": "X12.6.1"
},
{
"status": "affected",
"version": "X12.6.2"
},
{
"status": "affected",
"version": "X12.6.3"
},
{
"status": "affected",
"version": "X12.6.4"
},
{
"status": "affected",
"version": "X12.7.0"
},
{
"status": "affected",
"version": "X12.7.1"
},
{
"status": "affected",
"version": "X8.11.1"
},
{
"status": "affected",
"version": "X8.11.2"
},
{
"status": "affected",
"version": "X8.11.4"
},
{
"status": "affected",
"version": "X8.11.3"
},
{
"status": "affected",
"version": "X8.11.0"
},
{
"status": "affected",
"version": "X14.0.1"
},
{
"status": "affected",
"version": "X14.0.3"
},
{
"status": "affected",
"version": "X14.0.2"
},
{
"status": "affected",
"version": "X14.0.4"
},
{
"status": "affected",
"version": "X14.0.5"
},
{
"status": "affected",
"version": "X14.0.6"
},
{
"status": "affected",
"version": "X14.0.7"
},
{
"status": "affected",
"version": "X14.0.8"
},
{
"status": "affected",
"version": "X14.0.9"
},
{
"status": "affected",
"version": "X14.0.10"
},
{
"status": "affected",
"version": "X14.0.11"
},
{
"status": "affected",
"version": "X14.2.1"
},
{
"status": "affected",
"version": "X14.2.2"
},
{
"status": "affected",
"version": "X14.2.5"
},
{
"status": "affected",
"version": "X14.2.6"
},
{
"status": "affected",
"version": "X14.2.0"
},
{
"status": "affected",
"version": "X14.2.7"
},
{
"status": "affected",
"version": "X14.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device.\r\n\r This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.\r\n\r\nThe Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-25T16:58:00.269Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-expressway-injection-X475EbTQ",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-injection-X475EbTQ"
}
],
"source": {
"advisory": "cisco-sa-expressway-injection-X475EbTQ",
"defects": [
"CSCwf57215"
],
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2023-20209",
"datePublished": "2023-08-16T20:59:41.848Z",
"dateReserved": "2022-10-27T18:47:50.367Z",
"dateUpdated": "2025-12-16T18:23:20.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}