Lucene search

[email protected]NVD:CVE-2019-15959

HistorySep 23, 2020 - 1:15 a.m.

CVE-2019-15959

2020-09-2301:15:12

CWE-20

[email protected]

web.nvd.nist.gov

cisco small business

spa500 series

ip phones

physically proximate attacker

arbitrary commands

development testing

verification scripts

usb storage device

elevated security context

cve-2019-15959

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

12.6%

JSON

A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to the presence of development testing and verification scripts that remained on the device. An attacker could exploit this vulnerability by accessing the physical interface of a device and inserting a USB storage device. A successful exploit could allow the attacker to execute scripts on the device in an elevated security context.

Affected configurations

Nvd

Node

ciscospa500dsMatch-

ciscospa500sMatch-

ciscospa501gMatch-

ciscospa502gMatch-

ciscospa504gMatch-

ciscospa512gMatch-

ciscospa514gMatch-

ciscospa525gMatch-

ciscospa525g2Match-

AND

ciscospa500_series_ip_phones_firmwareRange≤7.5.7\(5\)

VendorProductVersionCPE
ciscospa500ds-cpe:2.3:h:cisco:spa500ds:-:*:*:*:*:*:*:*
ciscospa500s-cpe:2.3:h:cisco:spa500s:-:*:*:*:*:*:*:*
ciscospa501g-cpe:2.3:h:cisco:spa501g:-:*:*:*:*:*:*:*
ciscospa502g-cpe:2.3:h:cisco:spa502g:-:*:*:*:*:*:*:*
ciscospa504g-cpe:2.3:h:cisco:spa504g:-:*:*:*:*:*:*:*
ciscospa512g-cpe:2.3:h:cisco:spa512g:-:*:*:*:*:*:*:*
ciscospa514g-cpe:2.3:h:cisco:spa514g:-:*:*:*:*:*:*:*
ciscospa525g-cpe:2.3:h:cisco:spa525g:-:*:*:*:*:*:*:*
ciscospa525g2-cpe:2.3:h:cisco:spa525g2:-:*:*:*:*:*:*:*
ciscospa500_series_ip_phones_firmware*cpe:2.3:o:cisco:spa500_series_ip_phones_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	spa500ds	-	cpe:2.3:h:cisco:spa500ds:-:::::::*
cisco	spa500s	-	cpe:2.3:h:cisco:spa500s:-:::::::*
cisco	spa501g	-	cpe:2.3:h:cisco:spa501g:-:::::::*
cisco	spa502g	-	cpe:2.3:h:cisco:spa502g:-:::::::*
cisco	spa504g	-	cpe:2.3:h:cisco:spa504g:-:::::::*
cisco	spa512g	-	cpe:2.3:h:cisco:spa512g:-:::::::*
cisco	spa514g	-	cpe:2.3:h:cisco:spa514g:-:::::::*
cisco	spa525g	-	cpe:2.3:h:cisco:spa525g:-:::::::*
cisco	spa525g2	-	cpe:2.3:h:cisco:spa525g2:-:::::::*
cisco	spa500_series_ip_phones_firmware	*	cpe:2.3:o:cisco:spa500_series_ip_phones_firmware::::::::

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-spa500-script

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

12.6%

JSON

Related for NVD:CVE-2019-15959

cvelist1 prion1 symantec1 cisco1 cve1