CVE-2019-12703medium
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
A vulnerability in the web-based management interface of Cisco SPA122 ATA with Router Devices could allow an unauthenticated, adjacent attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by sending malicious input to the affected software through crafted DHCP requests, and then persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
References
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-dhcp-xss
Details
Source: MITRE
Published: 2019-10-16
Updated: 2019-10-21
Type: CWE-79
Risk Information
CVSS v2
Base Score: 2.9
Vector: AV:A/AC:M/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 5.5
Severity: LOW
CVSS v3
Base Score: 5.2
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Impact Score: 2.7
Exploitability Score: 2.1
Severity: MEDIUM
Vulnerable Software
Configuration 1
AND
OR
cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*
cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*
OR