Cisco Small Business 220 Series Smart Switches Command Injection Vulnerability
CVE-2019-1914

7.2HIGH

Key Information:

Vendor: Cisco
Status: Cisco Small Business 220 Series Smart Plus Switches
Vendor: CVE Published:; 7 August 2019

Badges

👾 Exploit Exists

Summary

A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. To send the malicious request, the attacker needs a valid login session in the web management interface as a privilege level 15 user. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to execute arbitrary shell commands with the privileges of the root user.

Affected Version(s)

Cisco Small Business 220 Series Smart Plus Switches < 1.1.4.4

References

https://tools.cisco.com/security/center/content/CiscoSecu...

vendor-advisoryx_refsource_CISCO

http://packetstormsecurity.com/files/154667/Realtek-Manag...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Aug 4, 2024
Vulnerability published
Aug 7, 2019
Vulnerability Reserved
Dec 6, 2018