4.8

CVE-2021-1154

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. The vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device.

Data is provided by the National Vulnerability Database (NVD)
CiscoRv110w Firmware Version1.2.2.8
   CiscoRv110w Version-
CiscoRv110w Firmware Version1.3.1.7
   CiscoRv110w Version-
CiscoRv130 Vpn Router Firmware Version1.2.2.8
   CiscoRv130 Vpn Router Version-
CiscoRv130 Vpn Router Firmware Version1.3.1.7
   CiscoRv130 Vpn Router Version-
CiscoRv130w Firmware Version1.2.2.8
   CiscoRv130w Version-
CiscoRv130w Firmware Version1.3.1.7
   CiscoRv130w Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.04% 0.066
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.8 1.7 2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
psirt@cisco.com 4.8 1.7 2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.