← Back

CVE-2019-1923

nvd nist
Published: Jul 17, 2019Modified: Nov 21, 2024

JSON object

Loading...
6.6
Vector
CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 0.7 / Impact: 5.9
Source: NVD

Description

A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by accessing the configuration interface, which may require a password, and then accessing the device's physical interface and inserting a USB storage device. A successful exploit could allow the attacker to execute arbitrary commands on the device in an elevated security context. At the time of publication, this vulnerability affected Cisco Small Business SPA500 Series IP Phones firmware releases 7.6.2SR5 and prior.

Affected (10)

Cisco
10 products
Spa501g Firmware
Spa502g Firmware
Spa504g Firmware
Spa508g Firmware
Spa509g Firmware
Spa512g Firmware
Spa514g Firmware
Spa525g2 Firmware
Spa500s Firmware
Spa500ds Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa501g Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa501g
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa502g Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa502g
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa504g Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa504g
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa508g Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa508g
All versions
Configuration E
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa509g Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa509g
All versions
Configuration F
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa512g Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa512g
All versions
Configuration G
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa514g Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa514g
All versions
Configuration H
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa525g2 Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa525g2
All versions
Configuration I
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa500s Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa500s
All versions
Configuration J
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Spa500ds Firmware
Up to 7.6.2sr5
Running on/withPlatform Versions
Cisco
Spa500ds
All versions

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (4)

Source: psirt@cisco.com
Third Party AdvisoryVDB Entry
Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.