Cisco has fixed three serious cross-site request forgery (CSRF) vulnerabilities in its Expressway Series collaboration gateway and a denial-of-service (DoS) flaw in the ClamAV anti-malware engine. CSRF flaws allow unauthenticated attackers to perform arbitrary actions on vulnerable devices by tricking users to click on a specifically crafted link. The actions execute with the privilege of the victim’s account and their nature depends on the vulnerability.
The first two CSRF issues, tracked as CVE-2024-20252 and CVE-2024-20254, are rated as critical with a score of 9.8 on the CVSS severity scale.
