Cisco NX-OS Software SSH Key Information Disclosure Vulnerability

A vulnerability in the SSH CLI key management functionality of Cisco NX-OS Software could allow an authenticated, local attacker to expose a user's private SSH key to all authenticated users on the targeted device. The attacker must authenticate with valid administrator device credentials. The...

Cisco NX-OS Software Bash Shell Privilege Escalation Vulnerability

A vulnerability in the Bash shell implementation for Cisco NX-OS Software could allow an authenticated, local attacker to escalate their privilege level to root. The attacker must authenticate with valid user credentials. The vulnerability is due to incorrect permissions of a system executable. A...

Cisco Firepower Management Center Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center FMC could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an affected system. The vulnerability is due to...

Cisco Web Security Appliance Reflected and Document Object Model-Based Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to conduct a reflected or Document Object Model–based DOM-based cross-site scripting XSS attack against a user of the web-based management interface of an...

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The vulnerability is due to...

Cisco FXOS and NX-OS System Software Authentication, Authorization, and Accounting Denial of Service Vulnerability

A vulnerability in the authentication, authorization, and accounting AAA implementation of Cisco Firepower Extensible Operating System FXOS and NX-OS System Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability occurs because AAA process...

Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities

A vulnerability in the web framework code of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against the user of the web interface of the affected system. The vulnerability is due to insufficient input validation of some...

Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products

On December 3, 2015, the OpenSSL Project released a security advisory detailing five vulnerabilities. Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service DoS...

Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller APIC and Cisco Cloud Network Controller, formerly Cisco Cloud APIC, could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack on an affected system...

Cisco Small Business RV Series Routers Vulnerabilities

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service DoS condition on an affected device. For more information about these vulnerabilities, see the...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Transparent Mode Denial of Service Vulnerability

A vulnerability in the TCP Normalizer of Cisco Adaptive Security Appliance ASA Software and Firepower Threat Defense FTD Software operating in transparent mode could allow an unauthenticated, remote attacker to poison MAC address tables, resulting in a denial of service DoS vulnerability. This...

Cisco Small Business 220 Series Smart Switches Link Layer Discovery Protocol Vulnerabilities

Multiple vulnerabilities exist in the Link Layer Discovery Protocol LLDP implementation for Cisco Small Business 220 Series Smart Switches. An unauthenticated, adjacent attacker could perform the following: Execute code on the affected device or cause it to reload unexpectedly Cause LLDP database...

Cisco Webex Teams Logging Feature Command Execution Vulnerability

A vulnerability in the Cisco Webex Teams client for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. This vulnerability is due to improper restrictions on software logging features used by the application on Windows operating systems. An...

Cisco Enterprise Network Functions Virtualization Infrastructure Software File Enumeration Vulnerability

A vulnerability in the web server functionality of Cisco Enterprise Network Functions Virtualization Infrastructure Software NFVIS could allow an authenticated, remote attacker to perform file enumeration on an affected system. The vulnerability is due to the web server responding with different...

Cisco Integrated Management Controller Privilege Escalation Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller IMC Software could allow an authenticated, remote attacker to make unauthorized changes to the system configuration. The vulnerability is due to insufficient authorization enforcement. An attacker coul...

Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers MPLS OAM Denial of Service Vulnerability

A vulnerability in the Multiprotocol Label Switching MPLS Operations, Administration, and Maintenance OAM implementation of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to trigger a denial of service DoS condition o...

Cisco Nexus 9000 Series Fabric Switches Application-Centric Infrastructure Mode Privilege Escalation Vulnerability

A vulnerability in the controller authorization functionality of Cisco Nexus 9000 Series ACI Mode Switch Software could allow an authenticated, local attacker to escalate standard users with root privilege on an affected device. The vulnerability is due to a misconfiguration of certain sudoers...

Cisco HyperFlex Unauthenticated Statistics Retrieval Vulnerability

A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted request...

Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF...

Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Denial of Service Vulnerability

A vulnerability in the Autonomic Networking feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause autonomic nodes of an affected system to reload, resulting in a denial of service DoS condition. The vulnerability is due to an unknown...

Cisco ASA Unicast Reverse Path Forwarding (uRPF) Bypass Vulnerability

A vulnerability in the Unicast Reverse Path Forwarding uRPF feature in the Cisco Adaptive Security Appliance ASA could allow an unauthenticated, remote attacker to bypass the uRPF validation checks. The vulnerability is due to incorrect uRPF validation where IP packets from an outside interface,...

Cisco Firepower Management Center Software SQL Injection Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not adequately...

Vulnerabilities in Layer 2 Network Security Controls Affecting Cisco Products: September 2022

On September 27, 2022, the following vulnerabilities affecting Cisco products were disclosed by Cert/CC as part of VU855201, titled L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers "https://kb.cert.org/vuls/id/855201": CVE-2021-27853: Layer 2 network filteri...

Cisco IOS XE SD-WAN Software Command Injection Vulnerability

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by authenticating t...

Cisco Webex Network Recording Player and Webex Player Memory Corruption Vulnerability

A vulnerability in Cisco Webex Network Recording Player for Windows and MacOS and Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system. The vulnerability is due to insufficient validation of values within Webex recording files formatted ...

Cisco SD-WAN Software Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges on an affected system. This vulnerability exists because the affected software does not properly restrict access to privileged processes. An attacker could exploit this...

Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco IOS XE Wireless Controller software for the Catalyst 9000 Family of switches could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against another user of the web-based management interface of an...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability

A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating...

Cisco Managed Services Accelerator Open Redirect Vulnerability

A vulnerability in the web interface of Cisco Managed Services Accelerator MSX could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. The vulnerability is due to improper input validation of the parameters of an HTTP request. An attacker could exploit this...

Cisco Integrated Management Controller Command Injection Vulnerability

A vulnerability in the Intelligent Platform Management Interface IPMI of Cisco Integrated Management Controller IMC could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on the underlying operating system OS. The vulnerability is due to...

Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Default SSH Key Vulnerability

A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure ACI Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. The vulnerability is due to the presence of...

Cisco Webex Meetings for Android Cross-Site Scripting Vulnerability

A vulnerability in Cisco Webex Meetings for Android could allow an unauthenticated, local attacker to perform a cross-site scripting attack against the application. The vulnerability is due to insufficient validation of the application input parameters. An attacker could exploit this vulnerabilit...

Cisco IOS XE Software Shell Access Authentication Bypass Vulnerability

A vulnerability in the shell access request mechanism of Cisco IOS XE Software could allow an authenticated, local attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has insufficient...

Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability

A vulnerability in the DHCP client implementation of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. The vulnerability occurs during the parsing of a crafted DHCP packet. An attacker could exploit this vulnerability b...

SNMP Version 3 Authentication Vulnerabilities

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 SNMPv3 feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network informati...

Cisco Identity Services Engine Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine ISE Software could allow an attacker to conduct a cross-site scripting XSS attack against a user of the interface. For more information about these vulnerabilities, see the Details "details" section o...

Cisco IOS and IOS XE Software Link Layer Discovery Protocol Denial of Service Vulnerability

A vulnerability in the Link Layer Discovery Protocol LLDP message parser of Cisco IOS Software and Cisco IOS XE Software could allow an attacker to trigger a reload of an affected device, resulting in a denial of service DoS condition. This vulnerability is due to improper initialization of a...

Cisco Firepower Management Center Software Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center FMC Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface. These vulnerabilities are due to insufficient validation o...

Cisco SD-WAN vManage Software Vulnerabilities

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details...

Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Authenticated Remote Code Execution Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These...

Cisco IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking CSWSH attack and cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient HTTP protections in...

Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP Denial of Service Vulnerability

A vulnerability in the Control and Provisioning of Wireless Access Points CAPWAP protocol processing of Cisco IOS XE Wireless Controller Software for the Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service DoS condition of a...

Cisco Security Manager Path Traversal Vulnerability

A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to and modify sensitive information on the affected device. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An...

Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities

Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system. The...

Cisco IOS and IOS XE Software Network-Based Application Recognition Denial of Service Vulnerabilities

Multiple vulnerabilities in the Network-Based Application Recognition NBAR feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. These vulnerabilities are due to a parsing issue on DNS packets. An attacker...

Cisco Small Business 300 Series Managed Switches Persistent Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business 300 Series Sx300 Managed Switches could allow an authenticated, remote attacker to conduct a persistent cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The...

Cisco Web Security Appliance Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The vulnerability is due to...

Cisco Firepower Management Center Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF...

Cisco MATE Collector Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco MATE Collector could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the...

Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF...