Back

CVE-2024-20470

Oct. 2, 2024, 8:35 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Cisco Small Business RV Series Dual WAN Gigabit VPN Routers

Source

ykramarz@cisco.com

Tags

ykramarz@cisco.com
2024-10-02
CVE-2024-20470
CWE-146

CVE-2024-20470 details

Published : Oct. 2, 2024, 5:15 p.m.
Last Modified : Oct. 2, 2024, 8:35 p.m.

Description

A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. In order to exploit this vulnerability, the attacker must have valid admin credentials. This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system.

CVSS Score

1 2 3 4 5 6.5 7 8 9 10

Weakness

Weakness Name Description
CWE-146 Improper Neutralization of Expression/Command Delimiters The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

6.5

Exploitability Score

1.2

Impact Score

5.2

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

References

URL Source
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv34x-privesc-rce-qE33TCms ykramarz@cisco.com
This website uses the NVD API, but is not approved or certified by it.