Details of VAR-202304-0297

ID

VAR-202304-0297

CVE

CVE-2023-20142

TITLE

Cross-site scripting vulnerability in multiple Cisco Systems products

Trust: 0.8

sources: JVNDB: JVNDB-2023-007121

DESCRIPTION

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device and then persuading a user to visit specific web pages that include malicious payloads. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has not released software updates that address these vulnerabilities. RV016 Multi-WAN VPN firmware, RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN Cross-site scripting vulnerabilities exist in multiple Cisco Systems products, including firmware.Information may be obtained and information may be tampered with. Cisco Small Business Routers is a router device of Cisco. Remote attackers can exploit this vulnerability to inject malicious scripts or HTML code. When the malicious data is viewed, sensitive information can be obtained or user sessions can be hijacked

Trust: 2.25

sources: NVD: CVE-2023-20142 // JVNDB: JVNDB-2023-007121 // CNVD: CNVD-2024-24744 // VULMON: CVE-2023-20142

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-24744

AFFECTED PRODUCTS

vendor:	cisco	model:	rv325	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	rv042	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	rv016	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	rv320	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	rv042g	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	rv082	scope:	eq	version:	*	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco rv320 dual gigabit wan vpn ルータ	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	rv042 dual wan vpn	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco rv325 dual gigabit wan vpn ルータ	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	rv016 multi-wan vpn	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	rv082 dual wan vpn	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	rv042g dual gigabit wan vpn	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	small business routers rv016	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	small business routers rv042	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	small business routers rv042g	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	small business routers rv082	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	small business routers rv320	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	small business routers rv325	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2024-24744 // JVNDB: JVNDB-2023-007121 // NVD: CVE-2023-20142

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-20142
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2023-20142
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-20142
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2024-24744
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202304-292
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-24744
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-20142
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0
NVD:	CVE-2023-20142
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-24744 // JVNDB: JVNDB-2023-007121 // CNNVD: CNNVD-202304-292 // NVD: CVE-2023-20142 // NVD: CVE-2023-20142

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-007121 // NVD: CVE-2023-20142

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-292

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202304-292

PATCH

title:	cisco-sa-rv-stored-xss-vqz7gC8W	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-stored-xss-vqz7gC8W	Trust: 0.8
title:	Patch for Cisco Small Business Routers Web Management Interface Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/546621	Trust: 0.6
title:	Cisco Small Business Fixes for cross-site scripting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=233390	Trust: 0.6
title:	Cisco: Cisco Small Business RV016, RV042, RV042G, RV082 , RV320, and RV325 Routers Cross-Site Scripting Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-rv-stored-xss-vqz7gC8W	Trust: 0.1

sources: CNVD: CNVD-2024-24744 // VULMON: CVE-2023-20142 // JVNDB: JVNDB-2023-007121 // CNNVD: CNNVD-202304-292

EXTERNAL IDS

db:	NVD	id:	CVE-2023-20142	Trust: 3.9
db:	JVNDB	id:	JVNDB-2023-007121	Trust: 0.8
db:	CNVD	id:	CNVD-2024-24744	Trust: 0.6
db:	AUSCERT	id:	ESB-2023.2020	Trust: 0.6
db:	CNNVD	id:	CNNVD-202304-292	Trust: 0.6
db:	VULMON	id:	CVE-2023-20142	Trust: 0.1

sources: CNVD: CNVD-2024-24744 // VULMON: CVE-2023-20142 // JVNDB: JVNDB-2023-007121 // CNNVD: CNNVD-202304-292 // NVD: CVE-2023-20142

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-rv-stored-xss-vqz7gc8w	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-20142	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2023-20142/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2023.2020	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2024-24744 // VULMON: CVE-2023-20142 // JVNDB: JVNDB-2023-007121 // CNNVD: CNNVD-202304-292 // NVD: CVE-2023-20142

SOURCES

db:	CNVD	id:	CNVD-2024-24744
db:	VULMON	id:	CVE-2023-20142
db:	JVNDB	id:	JVNDB-2023-007121
db:	CNNVD	id:	CNNVD-202304-292
db:	NVD	id:	CVE-2023-20142

LAST UPDATE DATE

2024-08-14T13:20:53.732000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-24744	date:	2024-05-29T00:00:00
db:	VULMON	id:	CVE-2023-20142	date:	2023-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2023-007121	date:	2023-11-17T06:04:00
db:	CNNVD	id:	CNNVD-202304-292	date:	2023-04-14T00:00:00
db:	NVD	id:	CVE-2023-20142	date:	2023-11-07T04:06:12.073

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-24744	date:	2023-05-16T00:00:00
db:	VULMON	id:	CVE-2023-20142	date:	2023-04-05T00:00:00
db:	JVNDB	id:	JVNDB-2023-007121	date:	2023-11-17T00:00:00
db:	CNNVD	id:	CNNVD-202304-292	date:	2023-04-05T00:00:00
db:	NVD	id:	CVE-2023-20142	date:	2023-04-05T19:15:08.920