Vulnerability Description
A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. To send the malicious request, the attacker needs a valid login session in the web management interface as a privilege level 15 user. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to execute arbitrary shell commands with the privileges of the root user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Sf-220-24 Firmware | < 1.1.4.4 |
| Cisco | Sf-220-24 | - |
| Cisco | Sf220-24P Firmware | < 1.1.4.4 |
| Cisco | Sf220-24P | - |
| Cisco | Sf220-48 Firmware | < 1.1.4.4 |
| Cisco | Sf220-48 | - |
| Cisco | Sf220-48P Firmware | < 1.1.4.4 |
| Cisco | Sf220-48P | - |
| Cisco | Sg220-26 Firmware | < 1.1.4.4 |
| Cisco | Sg220-26 | - |
| Cisco | Sg220-26P Firmware | < 1.1.4.4 |
| Cisco | Sg220-26P | - |
| Cisco | Sg220-28 Firmware | < 1.1.4.4 |
| Cisco | Sg220-28 | - |
| Cisco | Sg220-28Mp Firmware | < 1.1.4.4 |
| Cisco | Sg220-28Mp | - |
| Cisco | Sg220-50 Firmware | < 1.1.4.4 |
| Cisco | Sg220-50 | - |
| Cisco | Sg220-50P Firmware | < 1.1.4.4 |
| Cisco | Sg220-50P | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RT
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2Vendor Advisory
- http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RT
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2Vendor Advisory
FAQ
What is CVE-2019-1914?
CVE-2019-1914 is a vulnerability with a CVSS score of 7.2 (HIGH). A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability...
How severe is CVE-2019-1914?
CVE-2019-1914 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-1914?
Check the references section above for vendor advisories and patch information. Affected products include: Cisco Sf-220-24 Firmware, Cisco Sf-220-24, Cisco Sf220-24P Firmware, Cisco Sf220-24P, Cisco Sf220-48 Firmware.