CVE-2024-20461

CWE-78 — OS Command Injection CWE-250 CWE-257 CWE-305 CWE-352 — Cross-Site Request Forgery (CSRF)CWE-804 documents4 sources

Severity

6.0MEDIUM

EPSS

0.1%

top 69.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco ATA 191 Firmware Cisco ATA 192 Firmware Cisco Cisco Analog Telephone Adaptor (ata) Software

Timeline

PublishedOct 16

Description

A vulnerability in the CLI of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, local attacker with high privileges to execute arbitrary commands as the root user. This vulnerability exists because CLI input is not properly sanitized. An attacker could exploit this vulnerability by sending malicious characters to the CLI. A successful exploit could allow the attacker to read and write to the underlying operating system as the root user.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5cisco/cisco_analog_telephone_adaptor_(ata)_software16 versions+15

▶NVDcisco/ata_191_firmware< 12.0.2+1

▶NVDcisco/ata_192_firmware< 11.2.5

🔴Vulnerability Details

CVEList

Cisco ATA 190 Series Analog Telephone Adapter Firmware Command Injection Vulnerability↗2024-10-16

▶

GHSA

GHSA-98h2-2cpv-4fq9: A vulnerability in the CLI of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, local attacker with high privileges↗2024-10-16

▶

📋Vendor Advisories

Cisco

Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities↗2024-10-16

▶