CVE-2020-3297

CWE-287 — Improper Authentication4 documents4 sources

Severity

9.8CRITICAL

EPSS

5.4%

top 9.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Sf250-24 Firmware Cisco Sf250-24p Firmware Cisco Sf250-48 Firmware +55 more

Timeline

PublishedJul 2

Latest updateMay 24

Description

A vulnerability in session management for the web-based interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to defeat authentication protections and gain unauthorized access to the management interface. The attacker could obtain the privileges of the highjacked session account, which could include administrator privileges on the device. The vulnerability is due to the use of weak entropy generation for session identifier values. An attacke…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages58 packages

▶CVEListV5cisco/cisco_small_business_200_series_smart_switchesn/a

▶NVDcisco/sf250-24_firmware< 2.5.5.47

▶NVDcisco/sf250-48_firmware< 2.5.5.47

▶NVDcisco/sf350-48_firmware< 2.5.5.47

▶NVDcisco/sg250-08_firmware< 2.5.5.47

🔴Vulnerability Details

GHSA

GHSA-6c5p-w2ph-4fw7: A vulnerability in session management for the web-based interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, r↗2022-05-24

▶

CVEList

Cisco Small Business Smart and Managed Switches Session Management Vulnerability↗2020-07-02

▶

📋Vendor Advisories

Cisco

Cisco Small Business Smart and Managed Switches Session Management Vulnerability↗2020-07-01

▶