A vulnerability was found in Cisco Small Business RV Series Router (Router Operating System) (unknown version). It has been declared as problematic. Affected by this vulnerability is an unknown code block of the component Web-based Management Interface. The manipulation as part of a HTTP Requests leads to a improper authorization vulnerability. The CWE definition for the vulnerability is CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality. The summary by CVE is:

A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an unauthenticated, remote attacker to view information displayed in the web-based management interface. The vulnerability is due to improper authorization of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to view information displayed in the web-based management interface without authentication.

The weakness was disclosed 11/26/2019 as cisco-sa-20191120-sbr-rv-infod as confirmed advisory (Website). It is possible to read the advisory at tools.cisco.com. This vulnerability is known as CVE-2019-15990 since 09/06/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1548.002 according to MITRE ATT&CK.

Upgrading eliminates this vulnerability.

Productinfo

Type

• Router Operating System

Vendor

• Cisco

Name

• Small Business RV Series Router

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion