CVE-2019-12708

16.10.2019, 19:15

A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to unsafe handling of user credentials. An attacker could exploit this vulnerability by viewing portions of the web-based management interface of an affected device. A successful exploit could allow the attacker to access administrative credentials and potentially gain elevated privileges by reusing stolen credentials on the affected device.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cisco	CNA	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Vendor	Product	Version
cisco	spa112_firmware	𝑥 < 1.4.1
cisco	spa112_firmware	1.4.1
cisco	spa112_firmware	1.4.1:sr1
cisco	spa112_firmware	1.4.1:sr2
cisco	spa112_firmware	1.4.1:sr3
cisco	spa122_firmware	𝑥 < 1.4.1
cisco	spa122_firmware	1.4.1
cisco	spa122_firmware	1.4.1:sr1
cisco	spa122_firmware	1.4.1:sr2
cisco	spa122_firmware	1.4.1:sr3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-credentials

https://www.tenable.com/security/research/tra-2019-44

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-credentials

https://www.tenable.com/security/research/tra-2019-44