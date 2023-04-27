Cisco warned users about a zero-day XSS vulnerability affecting its Prime Collaboration Deployment solution.

A successful exploit of the vulnerability could allow the attacker to execute arbitrary script code.

Cisco warned users about a new vulnerability with a CVSS score of 6.1. The flaw can be exploited to launch cross-site scripting attacks. The vulnerability is tracked as CVE-2023-20060 and was found in the web-based management interface of Prime Collaboration Deployment 14 and earlier versions by Pierre Vivegnis from the NATO Cyber Security Center.

No fix, no workaround

Cisco describes the flaw as a vulnerability in the web-based management interface of Cisco Prime Collaboration Deployment that could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack against a user of the interface. According to the announcement, the vulnerability is caused by the lack of proper validation for user-supplied input, and it can be exploited by persuading a user of the interface to click a crafted link. Once exploited, an attacker can execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

According to the advisory, the vulnerability affects all Cisco Prime Collaboration Deployment Release versions and earlier. Unfortunately, currently, there is no workaround available. The fixed release, named 14SU3, is expected to be released in May of 2023. Cisco also stated that there is no evidence of exploitation of the vulnerability in the wild yet.