TTCSIRT-223.082719: TT-CSIRT Advisory – Cisco Security Updates
Cisco has released a security update stating that it has discovered the following issues in Cisco Small Business 220 Series Smart Switches:
a) An authentication bypass vulnerability which could allow for remote file upload due to incomplete authorization checks in the web management interface – (CVE-2019-1912).
b) A command injection vulnerability could allow for arbitrary code execution by an authenticated attacker due to insufficient validation of user-supplied input – (CVE-2019-1914).
An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer.
| Further information on these vulnerabilities and how they can be mitigated can be found on the Cisco Website at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-auth_bypass |