Unrated severityNVD Advisory· Published Apr 5, 2023· Updated Oct 25, 2024

Cisco Small Business RV016, RV042, RV042G, RV082 , RV320, and RV325 Routers Cross-Site Scripting Vulnerabilities

CVE-2023-20139

Description

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device and then persuading a user to visit specific web pages that include malicious payloads. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has not released software updates that address these vulnerabilities.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-20139 describes stored XSS in Cisco Small Business RV series routers via insufficient input validation, with no patch available; mitigation requires disabling remote management and blocking ports.

Vulnerability

The stored cross-site scripting (XSS) vulnerability resides in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 routers. The flaw stems from insufficient input validation of HTTP requests. Attackers can inject arbitrary script code that persists within the interface. Affected firmware versions have not been patched by Cisco [1].

Exploitation

An unauthenticated, remote attacker sends crafted HTTP requests to the vulnerable device and then persuades an authenticated administrator to visit specific web pages that contain the malicious payload. No privileged access or user interaction beyond the administrator's normal browsing is required for the initial injection [1].

Impact

Successful exploitation allows arbitrary script execution in the context of the affected web interface. This can lead to disclosure of sensitive browser-based information (e.g., session tokens, cookies) and potential compromise of administrative functions [1].

Mitigation

Cisco has not released software updates addressing these vulnerabilities. Mitigation steps include disabling remote management on all affected models, and additionally blocking access to ports 443 and 60443 on RV016, RV042, RV042G, and RV082 routers. For detailed configuration steps, refer to the advisory [1]. No workaround is available beyond these mitigations.

References

Cisco Security Advisory: Cisco Small Business RV016, RV042, RV042G, RV082 , RV320, and RV325 Routers Cross-Site Scripting Vulnerabilities

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./Small Business RV Series Routersllm-fuzzy
Cisco Systems, Inc./Small Business Rv Series Router Firmwarecpe-rescue
Range: n/a

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-stored-xss-vqz7gC8Wmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000