PT-2019-2790 · Cisco · Cisco Small Business Spa500 Series Ip Phones

Dustin Cobb

Published

2019-07-17

Updated

2020-10-16

CVE-2019-1923

CVSS v2.0

6.8

Medium

Vector

AV:L/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Cisco Small Business SPA500 Series IP Phones versions 7.6.2SR5 and prior

Description The issue is related to insufficient input validation in the device configuration interface, which could allow an attacker to execute arbitrary commands on the device with elevated security context. This can be achieved by accessing the configuration interface and then using the device's physical interface to insert a USB storage device.

Recommendations For versions 7.6.2SR5 and prior, update the firmware to a version that addresses this issue. As a temporary workaround, consider restricting access to the device configuration interface and physical interface to minimize the risk of exploitation.

Fix

Command Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-20

Related Identifiers

BDU:2019-02742

CVE-2019-1923

Affected Products

Cisco Small Business Spa500 Series Ip Phones

PT-2019-2790 · Cisco · Cisco Small Business Spa500 Series Ip Phones

CVE-2019-1923

Weakness Enumeration

Related Identifiers

Affected Products

References · 6