CVE-2021-1543
16.06.2021, 18:15
Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an attacker to do the following: Hijack a user session Execute arbitrary commands as a root user on the underlying operating system Conduct a cross-site scripting (XSS) attack Conduct an HTML injection attack For more information about these vulnerabilities, see the Details section of this advisory.
| Vendor | Product | Version |
|---|---|---|
| cisco | sf220-24_firmware | 𝑥 < 1.2.0.6 |
| cisco | sf220-24p_firmware | 𝑥 < 1.2.0.6 |
| cisco | sf220-48_firmware | 𝑥 < 1.2.0.6 |
| cisco | sf220-48p_firmware | 𝑥 < 1.2.0.6 |
| cisco | sg220-26_firmware | 𝑥 < 1.2.0.6 |
| cisco | sg220-26p_firmware | 𝑥 < 1.2.0.6 |
| cisco | sg220-28mp_firmware | 𝑥 < 1.2.0.6 |
| cisco | sg220-50_firmware | 𝑥 < 1.2.0.6 |
| cisco | sg220-50p_firmware | 𝑥 < 1.2.0.6 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-287 - Improper AuthenticationWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.