CVE-2019-1914

A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. To send the malicious request, the attacker needs a valid login session in the web management interface as a privilege level 15 user. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to execute arbitrary shell commands with the privileges of the root user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ciscoCNA
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
VendorProductVersion
ciscosf-220-24_firmware
𝑥
< 1.1.4.4
ciscosf220-24p_firmware
𝑥
< 1.1.4.4
ciscosf220-48_firmware
𝑥
< 1.1.4.4
ciscosf220-48p_firmware
𝑥
< 1.1.4.4
ciscosg220-26_firmware
𝑥
< 1.1.4.4
ciscosg220-26p_firmware
𝑥
< 1.1.4.4
ciscosg220-28_firmware
𝑥
< 1.1.4.4
ciscosg220-28mp_firmware
𝑥
< 1.1.4.4
ciscosg220-50_firmware
𝑥
< 1.1.4.4
ciscosg220-50p_firmware
𝑥
< 1.1.4.4
ciscosg220-52_firmware
𝑥
< 1.1.4.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-inject
http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-inject