A zero-day flaw has been discovered in Cisco product, which could result in threat actors running malicious code remotely or stealing sensitive data from target endpoints.
The vulnerability was found in a product called Prime Collaboration Deployment (PCD), a tool used by IT teams to migrate and upgrade their servers. The flaw is now tracked as CVE-2023-20060, a medium severity with a CVSS score of 6.1. It’s described as a cross-site scripting vulnerability that can be abused to launch arbitrary code.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link,
The vulnerability can be exploited, but it depends on the victim’s action. The attacker would need to persuade the victim to click a specially crafted, malicious link.
Cisco said a fix will be soon released and did not provide any timeline as to when it might get released. There are no workarounds.
Cisco PSIRT found no evidence of the flaw being used in the wild.