Vulnerability CVE-2019-1923


Published: 2019-07-17

Description:
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by accessing the configuration interface, which may require a password, and then accessing the device's physical interface and inserting a USB storage device. A successful exploit could allow the attacker to execute arbitrary commands on the device in an elevated security context. At the time of publication, this vulnerability affected Cisco Small Business SPA500 Series IP Phones firmware releases 7.6.2SR5 and prior.

Type:

CWE-77

(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Cisco -> Spa500ds firmware 
Cisco -> Spa500s firmware 
Cisco -> Spa501g firmware 
Cisco -> Spa502g firmware 
Cisco -> Spa504g firmware 
Cisco -> Spa508g firmware 
Cisco -> Spa509g firmware 
Cisco -> Spa512g firmware 
Cisco -> Spa514g firmware 
Cisco -> Spa525g2 firmware 

 References:
http://www.securityfocus.com/bid/109294
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-spa500-command

Copyright 2024, cxsecurity.com

 

Back to Top