CVE-2019-12703

LOW

Description

A vulnerability in the web-based management interface of Cisco SPA122 ATA with Router Devices could allow an unauthenticated, adjacent attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by sending malicious input to the affected software through crafted DHCP requests, and then persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-dhcp-xss

Details

Source: MITRE

Published: 2019-10-16

Updated: 2019-10-21

Type: CWE-79

Risk Information

CVSS v2.0

Base Score: 2.9

Vector: AV:A/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 5.5

Severity: LOW

CVSS v3.0

Base Score: 5.2

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.1

Severity: MEDIUM

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*

cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*

cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*

cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*

OR

cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*

Tenable Plugins

View all (1 total)

IDNameProductFamilySeverity
129982Cisco SPA100 Series Multiple VulnerabilitiesNessusCISCO
medium