Cisco Prime Collaboration Deployment software has been found to have a zero-day vulnerability that could allow for cross-site scripting attacks to take place. The Cisco Prime Collaboration Deployment application is a server management tool which can assist in the migration of older software version clusters to new virtual machines, as well as performing fresh installs, and upgrades on existing clusters. Cisco have stated that only the Cisco Prime Collaboration Deployment software is affected by this vulnerability, affecting versions 14 and earlier. 

This vulnerability is tracked as CVE-2023-20060 has been given a medium severity rating, with a CVSS base score of 6.1. This flaw is found in the web-based management interface of Cisco Prime Collaboration Deployment, where improper input validation occurs. To exploit this input validation flaw, an attacker requires user interaction from the user of the interface. This need for user interaction contributes to the lower severity rating of this flaw. If the user clicks on the malicious link supplied by the attacker, the attacker can then execute a script of arbitrary code on the vulnerable interface in a cross-site scripting attack. An attacker could also potentially gain access to sensitive browser-based information on the affected interface. 

The Cisco Product Security Incident Response Team (PSIRT) have stated that there is currently no evidence of this vulnerability being exploited in the wild. Cisco have not released any workarounds to mitigate this flaw, however software updates are planned to be released to address this. The first fixed released to patch this vulnerability is planned for May 2023, and is designated version 14SU3. Users of affected Cisco Prime Collaboration Deployment software are advised to monitor the Cisco Security Advisories page for further information on this flaw and other Cisco vulnerabilities, or to contact the Cisco Technical Assistance Center (TAC) for further support.