CVE-2024-20421
Oct. 31, 2024, 2:35 p.m.
6.5
Medium
Description
A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.
This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the targeted user.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Cisco |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| o | cisco | ata_191_firmware | / | / | / | / | / | / | / | / |
| h | cisco | ata_191 | - | / | / | / | on-premises | / | / | / |
| o | cisco | ata_191_firmware | / | / | / | / | / | / | / | / |
| h | cisco | ata_191 | - | / | / | / | multiplatform | / | / | / |
| o | cisco | ata_192_firmware | / | / | / | / | / | / | / | / |
| h | cisco | ata_192 | - | / | / | / | multiplatform | / | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: NONE
- Integrity Impact: HIGH
- Availability Impact: NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Timeline
Published: Oct. 16, 2024, 5:15 p.m.
Last Modified: Oct. 31, 2024, 2:35 p.m.
Last Modified: Oct. 31, 2024, 2:35 p.m.
Status : Modified
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
ykramarz@cisco.com
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.