Detections
Analytics

Cisco Small Business RV Series Routers Command Injection (cisco-sa-sbrv-cmdinjection-Z5cWFdK)

high Nessus Plugin ID 154932

Language:

Synopsis

The remote device is missing a vendor-supplied security patch

Description

A command injection vulnerability exists in Cisco Small Business RV Series Routers due to insufficient sanitisation of user controlled input. An authenticated, remote attacker can exploit this, to execute arbitrary commands.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvz75703, CSCvz75705

See Also

http://www.nessus.org/u?41785694

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz75703

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz75705

Plugin Details

Severity: High

ID: 154932

File Name: cisco-sa-sbrv-cmdinjection-Z5cWFdK.nasl

Version: 1.5

Type: combined

Family: CISCO

Published: 11/5/2021

Updated: 11/9/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2021-40120

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:cisco:small_business_rv_series_router_firmware

Required KB Items: Cisco/Small_Business_Router/Version, Cisco/Small_Business_Router/Model

Exploit Ease: No known exploits are available

Patch Publication Date: 11/3/2021

Vulnerability Publication Date: 11/3/2021

Reference Information

CVE: CVE-2021-40120

CWE: 20

CISCO-SA: cisco-sa-sbrv-cmdinjection-Z5cWFdK

IAVA: 2021-A-0534

CISCO-BUG-ID: CSCvz75703, CSCvz75705