CVE-2024-20458

Published: Oct 16, 2024Modified: Oct 22, 2024

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Exploitability: 3.9 / Impact: 4.2

Source: NVD

Description

A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to view or delete the configuration or change the firmware on an affected device. This vulnerability is due to a lack of authentication on specific HTTP endpoints. An attacker could exploit this vulnerability by browsing to a specific URL. A successful exploit could allow the attacker to view or delete the configuration or change the firmware.

Affected (3)

Products: Cisco: Ata 191 Firmware, Ata 192 Firmware

Cisco

2 products

Ata 191 Firmware

Ata 192 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ata 191 Firmware	Before 12.0.2

Running on/with	Platform Versions
Cisco Ata 191	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ata 191 Firmware	Before 11.2.5

Running on/with	Platform Versions
Cisco Ata 191	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Cisco Ata 192 Firmware	Before 11.2.5

Running on/with	Platform Versions
Cisco Ata 192	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.