Cisco – Cisco SPA 300 and 500 Series IP Phones allow XSS

Advisory ID


Vulnerability Information



A remote user can exploit a Cross Site Scripting (XSS) vulnerability in the Cisco SPA300 and SPA500 Series IP Phones. The vulnerability is due to insufficient validation of user-supplied input by the web user interface of an affected device.

Release Date



SIP (Session Initiation Protocol) is a protocol used for the initiation, modification and termination of voice and video calls through IP networks. This protocol is implemented in multiple Cisco systems products such as routers, switches and Firewalls.

Technical Information



A successful exploit could allow the attacker to execute arbitrary script code in the user’s browser session and steal sensitive information, such as authentication cookies or recently submitted data.  For more information on the affected versions, CVE-2014-3313 was assigned for this bug.




The UCTM solution from RedShift Networks provides the industry’s first complete security solution developed to secure VOIP networks, endpoints and applications. His research team is constantly looking for new attack patterns, advanced penetration testing methods, vulnerability identification and deployment of new signatures for constantly subscribed clients. For more information visit

External Resources



Cisco Security Advisory

Common Vulnerabilities and Exposures (CVE)