Vulnerability Details : CVE-2020-3360
A vulnerability in the Web Access feature of Cisco IP Phones Series 7800 and Series 8800 could allow an unauthenticated, remote attacker to view sensitive information on an affected device. The vulnerability is due to improper access controls on the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending malicious requests to the device, which could allow the attacker to bypass access restrictions. A successful attack could allow the attacker to view sensitive information, including device call logs that contain names, usernames, and phone numbers of users of the device.
Vulnerability category: Information leak
Products affected by CVE-2020-3360
- cpe:2.3:o:cisco:unified_ip_phone_6901_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6961_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6945_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6941_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6921_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_6911_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7832_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7861_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7841_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7821_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7811_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7937g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7975g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7965g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7962g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7961g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7960g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7945g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7942g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7941g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7940g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7931g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7911g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_7906g_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8811_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8841_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8845_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8851_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8851nr_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8861_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8865_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8865nr_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8961_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8945_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_8941_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_9971_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:unified_ip_phone_9951_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-3360
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-3360
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
Cisco Systems, Inc. | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2020-3360
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: ykramarz@cisco.com (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-3360
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-phone-logs-2O7f7ExM
Cisco IP Phones Series 7800 and Series 8800 Call Log Information Disclosure VulnerabilityVendor Advisory
Jump to