CVE-2019-12703

Published: Oct 16, 2019Modified: Nov 21, 2024

5.2

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.1 / Impact: 2.7

Source: NVD

Description

A vulnerability in the web-based management interface of Cisco SPA122 ATA with Router Devices could allow an unauthenticated, adjacent attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by sending malicious input to the affected software through crafted DHCP requests, and then persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Affected (5)

Products: Cisco: Spa122 Firmware

Cisco

1 product

Spa122 Firmware

Configuration A

5 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Spa122 Firmware	Before 1.4.1
Cisco Spa122 Firmware	Version 1.4.1
Cisco Spa122 Firmware	Version 1.4.1 sr1
Cisco Spa122 Firmware	Version 1.4.1 sr2
Cisco Spa122 Firmware	Version 1.4.1 sr3

Running on/with	Platform Versions
Cisco Spa122	All versions

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-dhcp-xss

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-dhcp-xss

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.