9
CVE-2020-3332
- EPSS 1.98%
- Published 16.07.2020 18:15:17
- Last modified 21.11.2024 05:30:49
- Source psirt@cisco.com
- Teams watchlist Login
- Open Login
A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers could allow an authenticated, remote attacker to inject arbitrary shell commands that are executed by an affected device. The vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary shell commands or scripts with root privileges on the affected device.
Data is provided by the National Vulnerability Database (NVD)
Cisco ≫ Rv110w Wireless-n Vpn Firewall Firmware Version < 1.2.2.8
Cisco ≫ Rv130 Vpn Router Firmware Version < 1.0.3.55
Cisco ≫ Rv130w Wireless-n Multifunction Vpn Router Firmware Version < 1.0.3.55
Cisco ≫ Rv215w Wireless-n Vpn Router Firmware Version < 1.3.1.7
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.98% | 0.828 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
| psirt@cisco.com | 8.1 | 2.8 | 5.2 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.