CVE-2018-14935

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the web administration console of Polycom Trio devices running software versions prior to 5.5.4 [1]. The flaw allows an attacker to inject malicious scripts that are stored and later served to other users of the console without proper sanitization.

Exploitation

An attacker must already have authenticated access to the web administration console (e.g., as a low-privilege admin or via compromised credentials) [1]. The attacker can then inject crafted JavaScript payloads into input fields (such as configuration parameters or contact entries) that are not sanitized by the application. When a privileged administrator views the affected page, the stored script executes within their browser session.

Impact

Successful exploitation enables the attacker to perform administrative actions with the privileges of the victim, including modifying system settings, exfiltrating sensitive data (such as call logs or credentials), and potentially gaining persistent access to the device [1]. The impact is limited to the web console UI layer; full device compromise is not automatically achieved but can be escalated.

Mitigation

Polycom released software version 5.5.4 to address this vulnerability [1]. Administrators should update Trio devices to this version or later. No workarounds are documented in the available references; restricting web console access to trusted networks and users reduces exposure but does not fully remediate the issue.