SB2021020417 - Multiple vulnerabilities in Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers
Published: February 4, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Code Injection (CVE-ID: CVE-2021-1289)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the HTTP requests are not properly validated. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Code Injection (CVE-ID: CVE-2021-1290)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the HTTP requests are not properly validated. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Code Injection (CVE-ID: CVE-2021-1291)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the HTTP requests are not properly validated. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Code Injection (CVE-ID: CVE-2021-1292)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the HTTP requests are not properly validated. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Code Injection (CVE-ID: CVE-2021-1293)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the HTTP requests are not properly validated. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Code Injection (CVE-ID: CVE-2021-1294)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the HTTP requests are not properly validated. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Code Injection (CVE-ID: CVE-2021-1295)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the HTTP requests are not properly validated. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Path traversal (CVE-ID: CVE-2021-1297)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error in the web-based management interface. A remote attacker can use the web-based management interface to upload a file to location on an affected device and overwrite files on the target device.
9) Path traversal (CVE-ID: CVE-2021-1296)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error in the web-based management interface. A remote attacker can use the web-based management interface to upload a file to location on an affected device and overwrite files on the target device.
Remediation
Install update from vendor's website.