CVE-2019-1914

Published: Aug 7, 2019Modified: Nov 21, 2024

7.2

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. To send the malicious request, the attacker needs a valid login session in the web management interface as a privilege level 15 user. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to execute arbitrary shell commands with the privileges of the root user.

Affected (11)

Products: Cisco: Sf 220 24 Firmware, Sf220 24p Firmware, Sf220 48 Firmware, Sf220 48p Firmware, Sg220 26 Firmware, Sg220 26p Firmware, Sg220 28 Firmware, Sg220 28mp Firmware, Sg220 50 Firmware, Sg220 50p Firmware, Sg220 52 Firmware

11 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sf 220 24 Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sf 220 24	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sf220 24p Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sf220 24p	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sf220 48 Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sf220 48	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sf220 48p Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sf220 48p	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sg220 26 Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sg220 26	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sg220 26p Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sg220 26p	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sg220 28 Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sg220 28	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sg220 28mp Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sg220 28mp	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sg220 50 Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sg220 50	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sg220 50p Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sg220 50p	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Sg220 52 Firmware	Before 1.1.4.4

Running on/with	Platform Versions
Cisco Sg220 52	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.html

Source: psirt@cisco.com

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-inject

Source: psirt@cisco.com

Vendor Advisory

http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-inject

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.