NVD Vulnerability Detail

CVE-2011-2545

Summary	Cross-site scripting (XSS) vulnerability in the SIP implementation on the Cisco SPA8000 and SPA8800 before 6.1.11, SPA2102 and SPA3102 before 5.2.13, and SPA 500 series IP phones before 7.4.9 allows remote attackers to inject arbitrary web script or HTML via the FROM field of an INVITE message, aka Bug IDs CSCtr27277, CSCtr27256, CSCtr27274, and CSCtr14715.
Publication Date	June 14, 2012, 5:55 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:28 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:cisco:spa8000_8-port_ip_telephony_gateway_firmware::::::::		6.1.10
cpe:2.3:o:cisco:spa8000_8-port_ip_telephony_gateway_firmware:5.1.12:::::::*
cpe:2.3:o:cisco:spa8000_8-port_ip_telephony_gateway_firmware:6.1.3:::::::*
cpe:2.3:h:cisco:spa8000_8-port_ip_telephony_gateway:-:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:cisco:spa8800_8-port_ip_telephony_gateway_firmware::::::::		6.1.7
cpe:2.3:h:cisco:spa8800_ip_telephony_gateway:-:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:cisco:spa2102_phone_adapter_with_router_firmware::::::::		5.2.12
cpe:2.3:o:cisco:spa2102_phone_adapter_with_router_firmware:5.2.3:::::::*
cpe:2.3:o:cisco:spa2102_phone_adapter_with_router_firmware:5.2.5:::::::*
cpe:2.3:o:cisco:spa2102_phone_adapter_with_router_firmware:5.2.10:::::::*
cpe:2.3:h:cisco:spa2102_phone_adapter_with_router:-:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:cisco:spa3102_voice_gateway_with_router_firmware::::::::		5.1.10
cpe:2.3:o:cisco:spa3102_voice_gateway_with_router_firmware:3.3.6:::::::*
cpe:2.3:o:cisco:spa3102_voice_gateway_with_router_firmware:5.1.7:::::::*
cpe:2.3:h:cisco:spa3102_voice_gateway_with_router:-:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware::::::::		7.4.8
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.3.7:::::::*
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.4.3:::::::*
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.4.4:::::::*
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.4.6:::::::*
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.4.7:::::::*
cpe:2.3:h:cisco:spa_501g_8-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_502g_1-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_504g_4-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_508g_8-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_509g_12-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_512g_1-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_514g_4-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_525g_5-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_525g2_5-line_ip_phone::::::::

Related information, measures and tools

No	URL	refsource	タグ
1	http://tools.cisco.com/security/center/viewAlert.x?alertId=26037		Vendor Advisory
2	http://tools.cisco.com/security/center/viewAlert.x?alertId=26037		Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

複数の Cisco 製品の SIP の実装におけるクロスサイトスクリプティングの脆弱性

Title	複数の Cisco 製品の SIP の実装におけるクロスサイトスクリプティングの脆弱性
Summary	複数の Cisco 製品の SIP の実装には、クロスサイトスクリプティングの脆弱性が存在します。本問題は、Bug ID CSCtr27277、CSCtr27256、CSCtr27274、および CSCtr14715 の問題です。
Possible impacts	第三者により、INVITE メッセージの FROM フィールドを介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 12, 2012, midnight
Registration Date	June 15, 2012, 4:35 p.m.
Last Update	June 15, 2012, 4:35 p.m.

Affected System

シスコシステムズ

Cisco Small Business SPA500 シリーズ IP Phone ファームウェア 7.4.9 未満

Cisco SPA 501G 8-Line IP Phone

Cisco SPA 502G 1-Line IP Phone

Cisco SPA 504G 4-Line IP Phone

Cisco SPA 508G 8-Line IP Phone

Cisco SPA 509G 12-Line IP Phone

Cisco SPA 512G 1-Line IP Phone

Cisco SPA 514G 4-Line IP Phone

Cisco SPA 525G 5-Line IP Phone

Cisco SPA 525G2 5-Line IP Phone

Cisco SPA2102 Phone Adapter with Router

Cisco SPA2102 Phone Adapter with Router ファームウェア 5.2.13 未満

Cisco SPA3102 Voice Gateway with Router

Cisco SPA3102 Voice Gateway with Router ファームウェア 5.2.13 未満

Cisco SPA8000 8-port IP Telephony Gateway

Cisco SPA8000 8-port IP Telephony Gateway ファームウェア 6.1.11 未満

Cisco SPA8800 IP Telephony Gateway

Cisco SPA8800 IP Telephony Gateway ファームウェア 6.1.11 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-2545	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2545
National Vulnerability Database (NVD)
2	CVE-2011-2545	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2545

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Cisco Systems Inc
1	26037	http://tools.cisco.com/security/center/viewAlert.x?alertId=26037

Change Log

No	Changed Details	Date of change
0	[2012年06月15日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware::::::::		7.4.8
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.3.7:::::::*
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.4.3:::::::*
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.4.4:::::::*
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.4.6:::::::*
cpe:2.3:o:cisco:spa_500_series_ip_phone_firmware:7.4.7:::::::*
cpe:2.3:h:cisco:spa_501g_8-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_502g_1-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_504g_4-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_508g_8-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_509g_12-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_512g_1-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_514g_4-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_525g_5-line_ip_phone::::::::
cpe:2.3:h:cisco:spa_525g2_5-line_ip_phone::::::::