6.6
CVE-2019-1923
- EPSS 0.21%
- Veröffentlicht 17.07.2019 21:15:12
- Zuletzt bearbeitet 21.11.2024 04:37:41
- Quelle psirt@cisco.com
- Teams Watchlist Login
- Unerledigt Login
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by accessing the configuration interface, which may require a password, and then accessing the device's physical interface and inserting a USB storage device. A successful exploit could allow the attacker to execute arbitrary commands on the device in an elevated security context. At the time of publication, this vulnerability affected Cisco Small Business SPA500 Series IP Phones firmware releases 7.6.2SR5 and prior.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cisco ≫ Spa501g Firmware Version <= 7.6.2sr5
Cisco ≫ Spa502g Firmware Version <= 7.6.2sr5
Cisco ≫ Spa504g Firmware Version <= 7.6.2sr5
Cisco ≫ Spa508g Firmware Version <= 7.6.2sr5
Cisco ≫ Spa509g Firmware Version <= 7.6.2sr5
Cisco ≫ Spa512g Firmware Version <= 7.6.2sr5
Cisco ≫ Spa514g Firmware Version <= 7.6.2sr5
Cisco ≫ Spa525g2 Firmware Version <= 7.6.2sr5
Cisco ≫ Spa500s Firmware Version <= 7.6.2sr5
Cisco ≫ Spa500ds Firmware Version <= 7.6.2sr5
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.399 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.6 | 0.7 | 5.9 |
CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 4.6 | 3.9 | 6.4 |
AV:L/AC:L/Au:N/C:P/I:P/A:P
|
| psirt@cisco.com | 6.6 | 0.7 | 5.9 |
CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.