Search criteria
60 vulnerabilities found for spa112_firmware by cisco
FKIE_CVE-2023-20126
Vulnerability from fkie_nvd - Published: 2023-05-04 20:15 - Updated: 2024-11-21 07:40
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr9:*:*:*:*:*:*",
"matchCriteriaId": "93892343-0F12-4403-871F-247442F93769",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability."
}
],
"id": "CVE-2023-20126",
"lastModified": "2024-11-21T07:40:37.103",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-04T20:15:09.633",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15251
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15251",
"lastModified": "2024-11-21T04:28:17.827",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:13.333",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15257
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00eda permitir a un atacante remoto autenticado acceder a informaci\u00f3n confidencial en un dispositivo afectado. La vulnerabilidad es debido a restricciones inapropiadas en la informaci\u00f3n de configuraci\u00f3n. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n hacia un dispositivo afectado por medio de la interfaz de administraci\u00f3n basada en web. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante traer de vuelta informaci\u00f3n de configuraci\u00f3n de la ejecuci\u00f3n que tambi\u00e9n podr\u00eda incluir informaci\u00f3n confidencial."
}
],
"id": "CVE-2019-15257",
"lastModified": "2024-11-21T04:28:18.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:13.537",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-config"
},
{
"source": "psirt@cisco.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-config"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15258
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00eda permitir a un atacante remoto autenticado causar una condici\u00f3n de denegaci\u00f3n de servicio en un dispositivo afectado. La vulnerabilidad es debido a una comprobaci\u00f3n inapropiada de las peticiones suministradas por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n dise\u00f1ada hacia la interfaz de administraci\u00f3n basada en web de un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante causar que el dispositivo deje de responder, requiriendo intervenci\u00f3n manual para la recuperaci\u00f3n."
}
],
"id": "CVE-2019-15258",
"lastModified": "2024-11-21T04:28:18.680",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:13.630",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dos"
},
{
"source": "psirt@cisco.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dos"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15249
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15249",
"lastModified": "2024-11-21T04:28:17.537",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:13.113",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15250
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15250",
"lastModified": "2024-11-21T04:28:17.670",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:13.237",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15252
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15252",
"lastModified": "2024-11-21T04:28:17.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:13.440",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15242
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15242",
"lastModified": "2024-11-21T04:28:16.597",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.317",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15246
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15246",
"lastModified": "2024-11-21T04:28:17.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.770",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15241
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15241",
"lastModified": "2024-11-21T04:28:16.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.190",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15245
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15245",
"lastModified": "2024-11-21T04:28:16.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.660",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15248
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15248",
"lastModified": "2024-11-21T04:28:17.400",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.973",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15247
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15247",
"lastModified": "2024-11-21T04:28:17.257",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.880",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15244
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15244",
"lastModified": "2024-11-21T04:28:16.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.550",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15243
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15243",
"lastModified": "2024-11-21T04:28:16.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.427",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15240
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:28
Severity ?
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "AC77A5AB-9D9F-4B75-879E-F9646E34AC53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr4:*:*:*:*:*:*",
"matchCriteriaId": "23DFD64F-5E61-4CD0-AE3F-533AEC14F932",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00edan permitir a un atacante adyacente autenticado ejecutar c\u00f3digo arbitrario con privilegios elevados. Las vulnerabilidades son debido a una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar estas vulnerabilidades al autenticarse en la interfaz de administraci\u00f3n basada en web y enviando peticiones dise\u00f1adas hacia un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario con privilegios elevados. Nota: La interfaz de administraci\u00f3n basada en web est\u00e1 habilitada por defecto."
}
],
"id": "CVE-2019-15240",
"lastModified": "2024-11-21T04:28:16.327",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:12.083",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-12708
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:23
Severity ?
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to unsafe handling of user credentials. An attacker could exploit this vulnerability by viewing portions of the web-based management interface of an affected device. A successful exploit could allow the attacker to access administrative credentials and potentially gain elevated privileges by reusing stolen credentials on the affected device.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to unsafe handling of user credentials. An attacker could exploit this vulnerability by viewing portions of the web-based management interface of an affected device. A successful exploit could allow the attacker to access administrative credentials and potentially gain elevated privileges by reusing stolen credentials on the affected device."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00eda permitir a un atacante remoto autenticado acceder a informaci\u00f3n confidencial en un dispositivo afectado. La vulnerabilidad es debido a un manejo no seguro de las credenciales de usuario. Un atacante podr\u00eda explotar esta vulnerabilidad al visualizar partes de la interfaz de administraci\u00f3n basada en web de un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante acceder a credenciales administrativas y alcanzar potencialmente privilegios elevados mediante la reutilizaci\u00f3n de credenciales robadas en el dispositivo afectado."
}
],
"id": "CVE-2019-12708",
"lastModified": "2024-11-21T04:23:24.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:11.847",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-credentials"
},
{
"source": "psirt@cisco.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-credentials"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-12702
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:23
Severity ?
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00eda permitir a un atacante remoto autenticado conducir ataques de tipo cross-site scripting. La vulnerabilidad es debido a una comprobaci\u00f3n insuficiente de la entrada suministrada por el usuario mediante la interfaz de administraci\u00f3n basada en web del software afectado. Un atacante podr\u00eda explotar esta vulnerabilidad persuadiendo a un usuario para que haga clic en un enlace dise\u00f1ado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo de script arbitrario en el contexto de la interfaz afectada o acceder a informaci\u00f3n confidencial basada en navegador."
}
],
"id": "CVE-2019-12702",
"lastModified": "2024-11-21T04:23:23.773",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:11.427",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-reflected-xss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-reflected-xss"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-12704
Vulnerability from fkie_nvd - Published: 2019-10-16 19:15 - Updated: 2024-11-21 04:23
Severity ?
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to view the contents of arbitrary files on an affected device. The vulnerability is due to improper input validation in the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retrieve the contents of arbitrary files on the device, possibly resulting in the disclosure of sensitive information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cisco | spa112_firmware | * | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112_firmware | 1.4.1 | |
| cisco | spa112 | - | |
| cisco | spa122_firmware | * | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122_firmware | 1.4.1 | |
| cisco | spa122 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDE978DB-5C48-4E25-A67E-497F033366E1",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "CDBCF90E-2E7B-4A58-B0DF-4A02D880EF0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "661CECD1-038C-41B1-AEB7-9C3E5087E088",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "691B5688-DDAF-49EE-8E9F-ABB06BB628B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "C4BAC9C2-3475-42EC-81FA-12BE338C936A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F61B8649-0781-4AF5-8CED-34616A9524FF",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22E490C8-BA3D-44E0-A677-C3311489EED5",
"versionEndExcluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*",
"matchCriteriaId": "30A5E568-2B2A-4A46-99E9-5FC203F96347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*",
"matchCriteriaId": "4A1FCBBE-9EE3-4D9D-AD25-2D4FA5893263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*",
"matchCriteriaId": "6D77D805-40B9-41F1-9A1A-C1A85E89361E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*",
"matchCriteriaId": "1B7D0675-063B-45A2-985D-B32FF3D6E15B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8C874C71-46D9-48A4-81C9-7ADDDB22FC8C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to view the contents of arbitrary files on an affected device. The vulnerability is due to improper input validation in the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retrieve the contents of arbitrary files on the device, possibly resulting in the disclosure of sensitive information."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de los dispositivos Cisco SPA100 Series Analog Telephone Adapters (ATAs), podr\u00eda permitir a un atacante remoto autenticado visualice el contenido de archivos arbitrarios en un dispositivo afectado. La vulnerabilidad es debido a una comprobaci\u00f3n de entrada inapropiada en la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n dise\u00f1ada hacia la interfaz de administraci\u00f3n basada en web de un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante recuperar el contenido de archivos arbitrarios en el dispositivo, posiblemente resultando en la divulgaci\u00f3n de informaci\u00f3n confidencial."
}
],
"id": "CVE-2019-12704",
"lastModified": "2024-11-21T04:23:24.040",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "psirt@cisco.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-16T19:15:11.643",
"references": [
{
"source": "psirt@cisco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-ui-disclosure"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-ui-disclosure"
}
],
"sourceIdentifier": "psirt@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "psirt@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-20126 (GCVE-0-2023-20126)
Vulnerability from cvelistv5 – Published: 2023-05-04 00:00 – Updated: 2024-10-28 16:29
VLAI?
Title
Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability
Summary
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco Small Business IP Phones |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20230503 Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T16:27:07.265234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T16:29:55.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco Small Business IP Phones ",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2023-05-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-04T00:00:00",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20230503 Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW"
}
],
"source": {
"advisory": "cisco-sa-spa-unauth-upgrade-UqhyTWW",
"defect": [
[
"CSCwe50762"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2023-20126",
"datePublished": "2023-05-04T00:00:00",
"dateReserved": "2022-10-27T00:00:00",
"dateUpdated": "2024-10-28T16:29:55.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15258 (GCVE-0-2019-15258)
Vulnerability from cvelistv5 – Published: 2019-10-16 18:36 – Updated: 2024-11-21 19:08
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:00.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dos"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T18:56:11.971283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T19:08:16.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-399",
"description": "CWE-399",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-17T19:06:07",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dos"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-webui-dos",
"defect": [
[
"CSCvq50529"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15258",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "6.5",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-399"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dos"
},
{
"name": "https://www.tenable.com/security/research/tra-2019-44",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-webui-dos",
"defect": [
[
"CSCvq50529"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15258",
"datePublished": "2019-10-16T18:36:38.179332Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-21T19:08:16.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15252 (GCVE-0-2019-15252)
Vulnerability from cvelistv5 – Published: 2019-10-16 18:36 – Updated: 2024-11-20 17:05
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:03.455Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T16:50:48.379576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:05:24.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-16T18:36:37",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15252",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "8.0",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-119"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15252",
"datePublished": "2019-10-16T18:36:37.146153Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-20T17:05:24.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15257 (GCVE-0-2019-15257)
Vulnerability from cvelistv5 – Published: 2019-10-16 18:36 – Updated: 2024-11-21 19:08
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:03.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-config"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T18:56:13.504439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T19:08:24.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-17T19:06:08",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-config"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-running-config",
"defect": [
[
"CSCvq50523"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15257",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "6.5",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-config"
},
{
"name": "https://www.tenable.com/security/research/tra-2019-44",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-running-config",
"defect": [
[
"CSCvq50523"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15257",
"datePublished": "2019-10-16T18:36:37.695788Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-21T19:08:24.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15250 (GCVE-0-2019-15250)
Vulnerability from cvelistv5 – Published: 2019-10-16 18:36 – Updated: 2024-11-20 17:05
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:00.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T16:50:51.965793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:05:38.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-16T18:36:35",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15250",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "8.0",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-119"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15250",
"datePublished": "2019-10-16T18:36:36.053463Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-20T17:05:38.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15251 (GCVE-0-2019-15251)
Vulnerability from cvelistv5 – Published: 2019-10-16 18:36 – Updated: 2024-11-20 17:05
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:00.810Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T16:50:49.993429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:05:31.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-16T18:36:36",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15251",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "8.0",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-119"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15251",
"datePublished": "2019-10-16T18:36:36.493116Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-20T17:05:31.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-20126 (GCVE-0-2023-20126)
Vulnerability from nvd – Published: 2023-05-04 00:00 – Updated: 2024-10-28 16:29
VLAI?
Title
Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability
Summary
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco Small Business IP Phones |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20230503 Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T16:27:07.265234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T16:29:55.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco Small Business IP Phones ",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2023-05-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-04T00:00:00",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20230503 Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability",
"tags": [
"vendor-advisory"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW"
}
],
"source": {
"advisory": "cisco-sa-spa-unauth-upgrade-UqhyTWW",
"defect": [
[
"CSCwe50762"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2023-20126",
"datePublished": "2023-05-04T00:00:00",
"dateReserved": "2022-10-27T00:00:00",
"dateUpdated": "2024-10-28T16:29:55.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15258 (GCVE-0-2019-15258)
Vulnerability from nvd – Published: 2019-10-16 18:36 – Updated: 2024-11-21 19:08
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:00.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dos"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T18:56:11.971283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T19:08:16.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-399",
"description": "CWE-399",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-17T19:06:07",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dos"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-webui-dos",
"defect": [
[
"CSCvq50529"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15258",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "6.5",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-399"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Web Management Interface Denial of Service Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-webui-dos"
},
{
"name": "https://www.tenable.com/security/research/tra-2019-44",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-webui-dos",
"defect": [
[
"CSCvq50529"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15258",
"datePublished": "2019-10-16T18:36:38.179332Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-21T19:08:16.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15252 (GCVE-0-2019-15252)
Vulnerability from nvd – Published: 2019-10-16 18:36 – Updated: 2024-11-20 17:05
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:03.455Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T16:50:48.379576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:05:24.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-16T18:36:37",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15252",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "8.0",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-119"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15252",
"datePublished": "2019-10-16T18:36:37.146153Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-20T17:05:24.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15257 (GCVE-0-2019-15257)
Vulnerability from nvd – Published: 2019-10-16 18:36 – Updated: 2024-11-21 19:08
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability
Summary
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:03.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-config"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T18:56:13.504439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T19:08:24.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-17T19:06:08",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-config"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-running-config",
"defect": [
[
"CSCvq50523"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15257",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper restrictions on configuration information. An attacker could exploit this vulnerability by sending a request to an affected device through the web-based management interface. A successful exploit could allow the attacker to return running configuration information that could also include sensitive information."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "6.5",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Running Configuration Information Disclosure Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-running-config"
},
{
"name": "https://www.tenable.com/security/research/tra-2019-44",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2019-44"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-running-config",
"defect": [
[
"CSCvq50523"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15257",
"datePublished": "2019-10-16T18:36:37.695788Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-21T19:08:24.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15250 (GCVE-0-2019-15250)
Vulnerability from nvd – Published: 2019-10-16 18:36 – Updated: 2024-11-20 17:05
VLAI?
Title
Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities
Summary
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco SPA112 2-Port Phone Adapter |
Affected:
unspecified , < n/a
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:00.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-15250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T16:50:51.965793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:05:38.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco SPA112 2-Port Phone Adapter",
"vendor": "Cisco",
"versions": [
{
"lessThan": "n/a",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-10-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-16T18:36:35",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
],
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2019-10-16T16:00:00-0700",
"ID": "CVE-2019-15250",
"STATE": "PUBLIC",
"TITLE": "Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco SPA112 2-Port Phone Adapter",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "8.0",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-119"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20191016 Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce"
}
]
},
"source": {
"advisory": "cisco-sa-20191016-spa-rce",
"defect": [
[
"CSCvq50494"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2019-15250",
"datePublished": "2019-10-16T18:36:36.053463Z",
"dateReserved": "2019-08-20T00:00:00",
"dateUpdated": "2024-11-20T17:05:38.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}