Main Vulnerability Database Vulnerabilities #VU19286

#VU19286 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Cisco Small Business SPA500 Series IP Phones - CVE-2019-1923

Published: July 22, 2019

Vulnerability identifier: #VU19286

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-1923

CWE-ID: CWE-77

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Cisco Small Business SPA500 Series IP Phones

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a physically proximate attacker to execute arbitrary commands on the device.

The vulnerability exists due to the due to improper input validation in the device configuration interface. An attacker with physical access to the device can access the configuration interface, which may require a password, and then access the device's physical interface and insert a USB storage device.

Successful exploitation of this vulnerability allows the attacker to execute arbitrary commands on the device in an elevated security context.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-spa500-command

#VU19286 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Cisco Small Business SPA500 Series IP Phones - CVE-2019-1923

Description

Remediation

External links

Please verify you're human