CVE-2019-1923 — MEDIUM (6.6)

Q: How severe is CVE-2019-1923?

CVE-2019-1923 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-1923?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Spa501G Firmware, Cisco Spa501G, Cisco Spa502G Firmware, Cisco Spa502G, Cisco Spa504G Firmware.

Vulnerability Description

A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by accessing the configuration interface, which may require a password, and then accessing the device's physical interface and inserting a USB storage device. A successful exploit could allow the attacker to execute arbitrary commands on the device in an elevated security context. At the time of publication, this vulnerability affected Cisco Small Business SPA500 Series IP Phones firmware releases 7.6.2SR5 and prior.

CVSS Score

6.6

MEDIUM

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cisco	Spa501G Firmware	<= 7.6.2sr5
Cisco	Spa501G	-
Cisco	Spa502G Firmware	<= 7.6.2sr5
Cisco	Spa502G	-
Cisco	Spa504G Firmware	<= 7.6.2sr5
Cisco	Spa504G	-
Cisco	Spa508G Firmware	<= 7.6.2sr5
Cisco	Spa508G	-
Cisco	Spa509G Firmware	<= 7.6.2sr5
Cisco	Spa509G	-
Cisco	Spa512G Firmware	<= 7.6.2sr5
Cisco	Spa512G	-
Cisco	Spa514G Firmware	<= 7.6.2sr5
Cisco	Spa514G	-
Cisco	Spa525G2 Firmware	<= 7.6.2sr5
Cisco	Spa525G2	-
Cisco	Spa500S Firmware	<= 7.6.2sr5
Cisco	Spa500S	-
Cisco	Spa500Ds Firmware	<= 7.6.2sr5
Cisco	Spa500Ds	-

Related Weaknesses (CWE)

CWE-20 CWE-77

References

http://www.securityfocus.com/bid/109294Third Party AdvisoryVDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2Vendor Advisory
http://www.securityfocus.com/bid/109294Third Party AdvisoryVDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2Vendor Advisory

FAQ

What is CVE-2019-1923?

CVE-2019-1923 is a vulnerability with a CVSS score of 6.6 (MEDIUM). A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input vali...

How severe is CVE-2019-1923?

CVE-2019-1923 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-1923?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Spa501G Firmware, Cisco Spa501G, Cisco Spa502G Firmware, Cisco Spa502G, Cisco Spa504G Firmware.