CVE-2020-3150 : A vulnerability in the web-based management interface of Cisco Small Business RV

A vulnerability in the web-based management interface of Cisco Small Business RV110W and RV215W Series Routers could allow an unauthenticated, remote attacker to download sensitive information from the device, which could include the device configuration. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this vulnerability by accessing a specific URI on the web-based management interface of the router, but only after any valid user has opened a specific file on the device since the last reboot. A successful exploit would allow the attacker to view sensitive information, which should be restricted.

Published 2020-07-16 18:15:17

Updated 2020-07-22 20:09:33

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2020-3150

Cisco » Rv110w Firmware
Versions before (<) 1.2.2.8
cpe:2.3:o:cisco:rv110w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Rv110w » Version: N/A
Cisco » Rv215w Firmware
Versions before (<) 1.3.1.7
cpe:2.3:o:cisco:rv215w_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Rv215w » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-3150

EPSS FAQ

0.34%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 53 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-3150

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	Cisco Systems, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2020-3150

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: ykramarz@cisco.com (Secondary)
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-3150

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-info-dis-FEWBWgsD

Cisco Small Business RV110W and RV215W Series Routers Information Disclosure Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-3150

Products affected by CVE-2020-3150

Exploit prediction scoring system (EPSS) score for CVE-2020-3150

CVSS scores for CVE-2020-3150

CWE ids for CVE-2020-3150

References for CVE-2020-3150