CVE-2023-20118
Severity CVSS v4.0:
Pending analysis
Type:
CWE-77
Command Injection
Publication date:
13/04/2023
Last modified:
02/04/2025
Description
A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device.<br />
<br />
This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device.<br />
<br />
Cisco has not and will not release software updates that address this vulnerability. However, administrators may disable the affected feature as described in the Workarounds ["#workarounds"] section.<br />
<br />
{{value}} ["%7b%7bvalue%7d%7d"])}]]
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:cisco:rv016_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:cisco:rv016:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:rv042_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:cisco:rv042:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:rv042g_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:cisco:rv042g:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:rv082_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:cisco:rv082:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:rv320_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:cisco:rv320:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:rv325_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:cisco:rv325:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page