Cisco fixed two flawed patches for its RV320 and RV325 small business routers, while also revealing two medium-rated additional vulnerabilities.
The previously patched vulnerabilities, CVE-2019-1652 and CVE-2019-1653, were improperly patched in September 2018. If it is exploited a remote attacker would be able to inject and run admin commands on a device without a password and to get sensitive device configuration details without a password, respectively.
Cisco placed an update on the alerts for each flaw stating “the initial fix for CVE-2019-1652 vulnerability was found to be incomplete. The complete fix is now available in Firmware Release 184.108.40.206.”
On the same day the older problems were patched, the company put out alerts for two medium-rated problems CVE-2019-1827 and CVE-2019-1829 for the same routers. The first CVE covers a vulnerability that could allow unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service, while the second has the ability to allow an unauthenticated, remote attacker to access administrative credentials.
No patch has been issued for either CVE and Cisco said there are no known workarounds at this time.