Cisco Wide Area Application Services Central Manager Information Disclosure Vulnerability

A vulnerability in the web-based GUI of Cisco Wide Area Application Services (WAAS) Central Manager could allow an unauthenticated, remote attacker to retrieve completed reports from an affected system.

The vulnerability is due to a processing error in how the affected software applies role-based access control (RBAC) to URLs. An attacker could exploit this vulnerability by conducting a brute-force attack or guessing the report ID of a completed report and sending a crafted HTTP GET request with the ID to an affected system. A successful exploit could allow the attacker to download any completed report that was previously scheduled by a WAAS administrator via the Reports Central area in the WAAS Central Manager GUI of the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-waas1 [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-waas1”]