Podatność CVE-2019-1923


Publikacja: 2019-07-17

Opis:
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by accessing the configuration interface, which may require a password, and then accessing the device's physical interface and inserting a USB storage device. A successful exploit could allow the attacker to execute arbitrary commands on the device in an elevated security context. At the time of publication, this vulnerability affected Cisco Small Business SPA500 Series IP Phones firmware releases 7.6.2SR5 and prior.

Typ:

CWE-77

(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:P/A:P)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
4.6/10
6.4/10
3.9/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Lokalny
Niska
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Częściowy
Częściowy
Częściowy
Affected software
Cisco -> Spa500ds firmware 
Cisco -> Spa500s firmware 
Cisco -> Spa501g firmware 
Cisco -> Spa502g firmware 
Cisco -> Spa504g firmware 
Cisco -> Spa508g firmware 
Cisco -> Spa509g firmware 
Cisco -> Spa512g firmware 
Cisco -> Spa514g firmware 
Cisco -> Spa525g2 firmware 

 Referencje:
http://www.securityfocus.com/bid/109294
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-spa500-command

Copyright 2024, cxsecurity.com

 

Back to Top