CVE-2023-20073

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-20073
A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:rv340:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:rv340w:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:rv345:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:rv345p:-:*:*:*:*:*:*:*
History

11 Apr 2023, 19:16

Type Values Removed Values Added
First Time Cisco rv345p Firmware
Cisco rv345
Cisco rv345p
Cisco
Cisco rv340 Firmware
Cisco rv340w
Cisco rv340
Cisco rv340w Firmware
Cisco rv345 Firmware
References (CISCO) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V - (CISCO) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V - Vendor Advisory
CWE CWE-434
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CPE cpe:2.3:h:cisco:rv340:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:rv340w:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:rv345p:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:rv345:-:*:*:*:*:*:*:*

05 Apr 2023, 17:35

Type Values Removed Values Added
New CVE
Information

Published : 2023-04-05 16:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-20073

Mitre link : CVE-2023-20073

CVE.ORG link : CVE-2023-20073

JSON object : View

Products Affected

cisco

  • rv345p
  • rv340w_firmware
  • rv345_firmware
  • rv340w
  • rv340
  • rv345p_firmware
  • rv340_firmware
  • rv345
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type