Cisco Small Business 300 Series Managed Switches Persistent Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business 300 Series Sx300 Managed Switches could allow an authenticated, remote attacker to conduct a persistent cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The...

Cisco Web Security Appliance Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The vulnerability is due to...

Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF...

Cisco Identity Services Engine Authenticated CLI Denial of Service Vulnerability

A vulnerability in specific CLI commands for the Cisco Identity Services Engine could allow an authenticated, local attacker to cause a denial of service DoS condition. The device may need to be manually rebooted to recover. The vulnerability is due to lack of proper input validation of the CLI...

Cisco IOS for Catalyst 2960X and 3750X Switches Denial of Service Vulnerability

A vulnerability in the Cisco IOS Software forwarding queue of Cisco 2960X and 3750X switches could allow an unauthenticated, adjacent attacker to cause a memory leak in the software forwarding queue that would eventually lead to a partial denial of service DoS condition. The vulnerability is due ...

Cisco Prime Infrastructure XML External Entity Denial of Service Vulnerability

A vulnerability in the web-based user interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to have read access to confidential information stored in the affected system. In addition, the attacker could cause a partial denial of service DoS condition due to...

Network Time Protocol Daemon MAC Checking Failure Authentication Bypass Vulnerability

A vulnerability in the Network Time Protocol NTP daemon could allow an unauthenticated, adjacent attacker to bypass authentication mechanisms and access an affected system. The vulnerability is due to incorrect validation of the message authentication code MAC field. An attacker could exploit thi...

SSH Malformed Packet Vulnerabilities

...

Cisco FXOS and NX-OS Software Cisco Discovery Protocol Denial of Service and Arbitrary Code Execution Vulnerability

A vulnerability in the Cisco Discovery Protocol feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code with root privileges or cause a denial of service DoS condition on an affected device. This vulnerability is due to...

Cisco Business Process Automation Privilege Escalation Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation BPA could allow an authenticated, remote attacker to elevate privileges to Administrator. These vulnerabilities are due to improper authorization enforcement for specific features and for access to...

Cisco Umbrella Link and CSV Formula Injection Vulnerabilities

Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details...

Cisco IoT Field Network Director Unauthenticated REST API Vulnerability

A vulnerability in the REST API of Cisco IoT Field Network Director FND could allow an unauthenticated, remote attacker to access the back-end database of an affected system. The vulnerability exists because the affected software does not properly authenticate REST API calls. An attacker could...

Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability

A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence...

Cisco SPA122 ATA with Router Devices DHCP Services Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco SPA122 ATA with Router Devices could allow an unauthenticated, adjacent attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface...

Cisco Firepower Threat Defense Software Packet Inspection and Enforcement Bypass Vulnerability

A vulnerability in the data acquisition DAQ component of Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to bypass configured access control policies or cause a denial of service DoS condition. The vulnerability exists because the affected software...

Cisco Firepower System Software Detection Engine Denial of Service Vulnerability

A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause one of the detection engine processes to run out of memory and thus slow down traffic processing. The vulnerability is due to improper handling of traffic when the...

Cisco Integrated Management Controller Supervisor and Cisco UCS Director DOM Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller Supervisor Software and Cisco UCS Director Software could allow an authenticated, remote attacker to conduct a Document Object Model-based DOM-based, stored cross-site scripting XSS attack against a us...

CPU Side-Channel Information Disclosure Vulnerabilities: May 2018

On May 21, 2018, researchers disclosed two vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged, loca...

Cisco IOS Software RSVP Vulnerability

A vulnerability in the implementation of the Resource Reservation Protocol RSVP in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker cause the device to reload. This vulnerability could be exploited repeatedly to cause an extended denial of service DoS...

Cisco Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, and Catalyst SD-WAN Validator Authenticated Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplyi...

Cisco IOS and IOS XE Software FXO Interface Destination Pattern Bypass Vulnerability

A vulnerability in the Voice Telephony Service Provider VTSP service of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass configured destination patterns and dial arbitrary numbers. This vulnerability is due to insufficient validation of dial...

Cisco NX-OS Software VXLAN OAM (NGOAM) Denial of Service Vulnerability

A vulnerability in the VXLAN Operation, Administration, and Maintenance OAM feature of Cisco NX-OS Software, known as NGOAM, could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to improper handling of specific...

Cisco Nexus 9000 Series Fabric Switches ACI Mode Privilege Escalation Vulnerability

A vulnerability in Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure ACI mode could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient restrictions during the execution of a specific CLI command...

Cisco Nexus 9000 Series Fabric Switches ACI Mode Multi-Pod and Multi-Site TCP Denial of Service Vulnerability

February 23, 2022 Update: After further investigation, Cisco determined that an additional fix was necessary to completely address this vulnerability. The initial fix allowed an attacker to cause high CPU utilization on an affected device, which could impact user traffic. See the Fixed Software...

Cisco IOS XE Software Web UI Command Injection Vulnerability

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that can be executed as the root user. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted...

Cisco DNA Center Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Denial of Service Vulnerability

Update from October 22nd, 2020: Cisco has become aware of a new Cisco Adaptive Security Appliance vulnerability that could affect the fixed releases recommended for code trains 9.13 and 9.14 in the Fixed Software "fs" section of this advisory. See the Cisco Adaptive Security Appliance Software...

Cisco FXOS and NX-OS Software Cisco Fabric Services Denial of Service Vulnerability

A vulnerability in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated attacker to cause process crashes, which could result in a denial of service DoS condition on an affected device. The attack vector is configuration dependent and...

Cisco Integrated Management Controller Information Disclosure Vulnerability

A vulnerability in the Intelligent Platform Management Interface IPMI implementation of Cisco Integrated Management Controller IMC could allow an unauthenticated, remote attacker to view sensitive system information. The vulnerability is due to insufficient security restrictions imposed by the...

Cisco Integrated Management Controller Unauthenticated Denial of Service Vulnerability

A vulnerability in the web server of Cisco Integrated Management Controller IMC could allow an unauthenticated, remote attacker to cause the web server process to crash, causing a denial of service DoS condition on an affected system. The vulnerability is due to insufficient validation of...

Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Denial of Service Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. The vulnerability is due to a...

Cisco NX-OS Software Python Parser Privilege Escalation Vulnerability

Update from August 25, 2021: Cisco found that this vulnerability was present in additional releases of Cisco NX-OS Software with the introduction of Python 3 support. For more information, see the Fixed Software "fs" section of this advisory. A vulnerability in the Python scripting subsystem of...

Cisco Common Services Platform Collector Static Credential Vulnerability

A vulnerability in the Cisco Common Services Platform Collector CSPC could allow an unauthenticated, remote attacker to access an affected device by using an account that has a default, static password. This account does not have administrator privileges. The vulnerability exists because the...

Cisco Jabber Client Framework for Windows and Mac Cross-Site Scripting Vulnerability

A vulnerability in Cisco Jabber Client Framework JCF could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of an affected device. The vulnerability is due to improper neutralization of input during web page generation. An attacker could exploit...

Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017

On September 7, 2017, the Apache Software Foundation released a security bulletin that disclosed a vulnerability in the Freemarker tag functionality of the Apache Struts 2 package. The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. T...

Cisco Web Security Appliance Authenticated Command Injection and Privilege Escalation Vulnerability

A vulnerability in the CLI parser of the Cisco Web Security Appliance WSA could allow an authenticated, local attacker to perform command injection and elevate privileges to root. The attacker must authenticate with valid operator-level or administrator-level credentials. The vulnerability is due...

Cisco OpenSSL Implementation Vulnerability

...

Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability

A vulnerability in the IPv6 DHCP version 6 DHCPv6 relay and server features of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to trigger a denial of service DoS condition. This vulnerability is due to insufficient validation of data boundaries. An attacker could...

Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability

A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement...

Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability

A vulnerability in the TACACS+ authentication, authorization and accounting AAA feature of Cisco Enterprise NFV Infrastructure Software NFVIS could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to...

Cisco Application Policy Infrastructure Controller Command Injection and File Upload Vulnerabilities

Multiple vulnerabilities in the web UI and API endpoints of Cisco Application Policy Infrastructure Controller APIC or Cisco Cloud APIC could allow a remote attacker to perform a command injection or file upload attack on an affected system. For more information about these vulnerabilities, see t...

Cisco Webex Meetings and Webex Meetings Server Multimedia Sharing Security Bypass Vulnerability

A vulnerability in the multimedia viewer feature of Cisco Webex Meetings and Cisco Webex Meetings Server could allow an authenticated, remote attacker to bypass security protections. This vulnerability is due to unsafe handling of shared content within the multimedia viewer feature. An attacker...

Cisco Common Services Platform Collector Command Injection Vulnerability

A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector CSPC could allow an authenticated, remote attacker to execute arbitrary code. This vulnerability is due to insufficient sanitization of configuration entries. An attacker could exploit this vulnerability by...

Cisco Integrated Management Controller Open Redirect Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller IMC Software could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in an HTTP request. An...

Cisco Firepower Device Manager Software Filesystem Space Exhaustion Denial of Service Vulnerability

A vulnerability in filesystem usage management for Cisco Firepower Device Manager FDM Software could allow an authenticated, remote attacker to exhaust filesystem resources, resulting in a denial of service DoS condition on an affected device. This vulnerability is due to the insufficient...

Cisco IOx for IOS XE Software Command Injection Vulnerability

A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands into the underlying operating system as the root user. This vulnerability is due to incomplete validation of fields in the application packages...

Cisco IOS XE SD-WAN Software Arbitrary File Corruption Vulnerability

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to overwrite arbitrary files in the underlying file system. This vulnerability is due to insufficient validation of the parameters of a specific CLI command. An attacker could exploit this...

Cisco StarOS Denial of Service Vulnerability

A vulnerability in the SSH service of the Cisco StarOS operating system could allow an unauthenticated, remote attacker to cause an affected device to stop processing traffic, resulting in a denial of service DoS condition. The vulnerability is due to a logic error that may occur under specific...

Cisco Data Center Network Manager Certificate Validation Vulnerabilities

Multiple vulnerabilities in Cisco Data Center Network Manager DCNM could allow an attacker to spoof a trusted host or construct a man-in-the-middle attack to extract sensitive information or alter certain API requests. These vulnerabilities are due to insufficient certificate validation when...

Cisco FXOS Software Firepower Chassis Manager Cross-Site Request Forgery Vulnerability

A vulnerability in the Cisco Firepower Chassis Manager FCM of Cisco FXOS Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack against a user of an affected device. The vulnerability is due to insufficient CSRF protections for the FCM...