ID

VAR-202304-0297


CVE

CVE-2023-20142


TITLE

Cross-site scripting vulnerability in multiple Cisco Systems products

Trust: 0.8

sources: JVNDB: JVNDB-2023-007121

DESCRIPTION

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device and then persuading a user to visit specific web pages that include malicious payloads. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has not released software updates that address these vulnerabilities. RV016 Multi-WAN VPN firmware, RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN Cross-site scripting vulnerabilities exist in multiple Cisco Systems products, including firmware.Information may be obtained and information may be tampered with. Cisco Small Business Routers is a router device of Cisco. Remote attackers can exploit this vulnerability to inject malicious scripts or HTML code. When the malicious data is viewed, sensitive information can be obtained or user sessions can be hijacked

Trust: 2.25

sources: NVD: CVE-2023-20142 // JVNDB: JVNDB-2023-007121 // CNVD: CNVD-2024-24744 // VULMON: CVE-2023-20142

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-24744

AFFECTED PRODUCTS

vendor:ciscomodel:rv325scope:eqversion:*

Trust: 1.0

vendor:ciscomodel:rv042scope:eqversion:*

Trust: 1.0

vendor:ciscomodel:rv016scope:eqversion:*

Trust: 1.0

vendor:ciscomodel:rv320scope:eqversion:*

Trust: 1.0

vendor:ciscomodel:rv042gscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:rv082scope:eqversion:*

Trust: 1.0

vendor:シスコシステムズmodel:cisco rv320 dual gigabit wan vpn ルータscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv042 dual wan vpnscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco rv325 dual gigabit wan vpn ルータscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv016 multi-wan vpnscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv082 dual wan vpnscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv042g dual gigabit wan vpnscope: - version: -

Trust: 0.8

vendor:ciscomodel:small business routers rv016scope: - version: -

Trust: 0.6

vendor:ciscomodel:small business routers rv042scope: - version: -

Trust: 0.6

vendor:ciscomodel:small business routers rv042gscope: - version: -

Trust: 0.6

vendor:ciscomodel:small business routers rv082scope: - version: -

Trust: 0.6

vendor:ciscomodel:small business routers rv320scope: - version: -

Trust: 0.6

vendor:ciscomodel:small business routers rv325scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2024-24744 // JVNDB: JVNDB-2023-007121 // NVD: CVE-2023-20142

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-20142
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2023-20142
value: MEDIUM

Trust: 1.0

NVD: CVE-2023-20142
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2024-24744
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202304-292
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2024-24744
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2023-20142
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 2.0

NVD: CVE-2023-20142
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2024-24744 // JVNDB: JVNDB-2023-007121 // CNNVD: CNNVD-202304-292 // NVD: CVE-2023-20142 // NVD: CVE-2023-20142

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-007121 // NVD: CVE-2023-20142

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-292

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202304-292

PATCH

title:cisco-sa-rv-stored-xss-vqz7gC8Wurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-stored-xss-vqz7gC8W

Trust: 0.8

title:Patch for Cisco Small Business Routers Web Management Interface Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/546621

Trust: 0.6

title:Cisco Small Business Fixes for cross-site scripting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=233390

Trust: 0.6

title:Cisco: Cisco Small Business RV016, RV042, RV042G, RV082 , RV320, and RV325 Routers Cross-Site Scripting Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-rv-stored-xss-vqz7gC8W

Trust: 0.1

sources: CNVD: CNVD-2024-24744 // VULMON: CVE-2023-20142 // JVNDB: JVNDB-2023-007121 // CNNVD: CNNVD-202304-292

EXTERNAL IDS

db:NVDid:CVE-2023-20142

Trust: 3.9

db:JVNDBid:JVNDB-2023-007121

Trust: 0.8

db:CNVDid:CNVD-2024-24744

Trust: 0.6

db:AUSCERTid:ESB-2023.2020

Trust: 0.6

db:CNNVDid:CNNVD-202304-292

Trust: 0.6

db:VULMONid:CVE-2023-20142

Trust: 0.1

sources: CNVD: CNVD-2024-24744 // VULMON: CVE-2023-20142 // JVNDB: JVNDB-2023-007121 // CNNVD: CNNVD-202304-292 // NVD: CVE-2023-20142

REFERENCES

url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-rv-stored-xss-vqz7gc8w

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-20142

Trust: 1.4

url:https://cxsecurity.com/cveshow/cve-2023-20142/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.2020

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2024-24744 // VULMON: CVE-2023-20142 // JVNDB: JVNDB-2023-007121 // CNNVD: CNNVD-202304-292 // NVD: CVE-2023-20142

SOURCES

db:CNVDid:CNVD-2024-24744
db:VULMONid:CVE-2023-20142
db:JVNDBid:JVNDB-2023-007121
db:CNNVDid:CNNVD-202304-292
db:NVDid:CVE-2023-20142

LAST UPDATE DATE

2024-08-14T13:20:53.732000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-24744date:2024-05-29T00:00:00
db:VULMONid:CVE-2023-20142date:2023-04-06T00:00:00
db:JVNDBid:JVNDB-2023-007121date:2023-11-17T06:04:00
db:CNNVDid:CNNVD-202304-292date:2023-04-14T00:00:00
db:NVDid:CVE-2023-20142date:2023-11-07T04:06:12.073

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-24744date:2023-05-16T00:00:00
db:VULMONid:CVE-2023-20142date:2023-04-05T00:00:00
db:JVNDBid:JVNDB-2023-007121date:2023-11-17T00:00:00
db:CNNVDid:CNNVD-202304-292date:2023-04-05T00:00:00
db:NVDid:CVE-2023-20142date:2023-04-05T19:15:08.920