CVE-2021-1156

Published: Jan 13, 2021Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. The vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device.

Affected (9)

Products: Cisco: Rv110w Firmware, Rv130 Vpn Router Firmware, Rv130w Firmware, Rv215w Wireless N Vpn Router Firmware, Application Extension Platform

Cisco

5 products

Rv110w Firmware

Rv130 Vpn Router Firmware

Rv130w Firmware

Rv215w Wireless N Vpn Router Firmware

Application Extension Platform

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Rv110w Firmware	Version 1.2.2.8
Cisco Rv110w Firmware	Version 1.3.1.7

Running on/with	Platform Versions
Cisco Rv110w	All versions

Configuration B

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Rv130 Vpn Router Firmware	Version 1.2.2.8
Cisco Rv130 Vpn Router Firmware	Version 1.3.1.7

Running on/with	Platform Versions
Cisco Rv130 Vpn Router	All versions

Configuration C

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Rv130w Firmware	Version 1.2.2.8
Cisco Rv130w Firmware	Version 1.3.1.7

Running on/with	Platform Versions
Cisco Rv130w	All versions

Configuration D

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Rv215w Wireless N Vpn Router Firmware	Version 1.2.2.8
Cisco Rv215w Wireless N Vpn Router Firmware	Version 1.3.1.7

Running on/with	Platform Versions
Cisco Rv215w Wireless N Vpn Router	All versions

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Cisco Application Extension Platform	Version 1.0.3.55

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-stored-xss-LPTQ3EQC

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-stored-xss-LPTQ3EQC

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.