CVE-2021-1541 : Multiple vulnerabilities in the web-based management interface of Cisco Small Bu

Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an attacker to do the following: Hijack a user session Execute arbitrary commands as a root user on the underlying operating system Conduct a cross-site scripting (XSS) attack Conduct an HTML injection attack For more information about these vulnerabilities, see the Details section of this advisory.

Published 2021-06-16 18:15:08

Updated 2021-06-23 21:54:54

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)BypassGain privilege

Products affected by CVE-2021-1541

Cisco » Sf220-24p Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sf220-24p_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sf220-24p » Version: N/A
Cisco » Sf220-48 Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sf220-48_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sf220-48 » Version: N/A
Cisco » Sf220-48p Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sf220-48p_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sf220-48p » Version: N/A
Cisco » Sg220-26 Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sg220-26_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sg220-26 » Version: N/A
Cisco » Sg220-26p Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sg220-26p_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sg220-26p » Version: N/A
Cisco » Sg220-28mp Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sg220-28mp_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sg220-28mp » Version: N/A
Cisco » Sg220-50 Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sg220-50_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sg220-50 » Version: N/A
Cisco » Sg220-50p Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sg220-50p_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sg220-50p » Version: N/A
Cisco » Sf220-24 Firmware
Versions before (<) 1.2.0.6
cpe:2.3:o:cisco:sf220-24_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Sf220-24 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-1541

EPSS FAQ

0.38%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 57 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-1541

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.2	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	Cisco Systems, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-1541

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: ykramarz@cisco.com (Primary)

References for CVE-2021-1541

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ciscosb-multivulns-Wwyb7s5E

Cisco Small Business 220 Series Smart Switches Vulnerabilities
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-1541

Products affected by CVE-2021-1541

Exploit prediction scoring system (EPSS) score for CVE-2021-1541

CVSS scores for CVE-2021-1541

CWE ids for CVE-2021-1541

References for CVE-2021-1541