Cisco IOS and IOS XE Software VLAN Trunking Protocol Denial of Service Vulnerability

A vulnerability in the VLAN Trunking Protocol VTP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to corrupt the internal VTP database on an affected device and cause a denial of service DoS condition. The vulnerability is due to a logic...

Cisco Adaptive Security Appliance Software SSL VPN Denial of Service Vulnerability

A vulnerability in the Secure Sockets Layer SSL VPN feature of Cisco Adaptive Security Appliance ASA Software could allow an authenticated, remote attacker to cause a denial of service DoS condition that prevents the creation of new SSL/Transport Layer Security TLS connections to an affected...

Cisco IOS, IOS XE, and IOS XR Software Link Layer Discovery Protocol Buffer Overflow Vulnerabilities

Multiple vulnerabilities in the Link Layer Discovery Protocol LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service DoS condition or execute arbitrary code with elevated privileges on a...

Apache HTTP Server Vulnerabilities: October 2021

On October 5, 2021 and October 7, 2021, the Apache Software Foundation released two security announcements for the Apache HTTP Server that disclosed the following vulnerabilities: CVE-2021-41524: Null Pointer Dereference Vulnerability CVE-2021-41773: Path Traversal and Remote Code Execution...

Cisco Unified Contact Center Express HTTP Response Splitting Vulnerability

A vulnerability in Cisco Unified Contact Center Express UCCX Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system...

Cisco Firepower Management Center Remote Code Execution Vulnerability

A vulnerability in the web UI of the Cisco Firepower Management Center FMC could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted...

Cisco IoT Field Network Director Resource Exhaustion Denial of Service Vulnerability

A vulnerability in the UDP protocol implementation for Cisco IoT Field Network Director IoT-FND could allow an unauthenticated, remote attacker to exhaust system resources, resulting in a denial of service DoS condition. The vulnerability is due to improper resource management for UDP ingress...

Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting XSS attack or a reflected cross-site scripting XSS attack against a user of the web-based management...

Cisco Firepower Threat Defense Software Command Injection Vulnerability

A vulnerability in the command line interface CLI of Cisco Firepower Threat Defense FTD Software could allow an authenticated, local attacker with administrative privileges to execute commands on the underlying operating system with root privileges. The vulnerability is due to insufficient input...

Cisco Firepower System Software Intelligent Application Bypass Vulnerability

A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass configured file action policies if an Intelligent Application Bypass IAB with a drop percentage threshold is also configured. The vulnerability is due to incorrect...

CPU Side-Channel Information Disclosure Vulnerabilities

On January 3, 2018, researchers disclosed three vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged...

Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021

A vulnerability in the command line parameter parsing code of Sudo could allow an authenticated, local attacker to execute commands or binaries with root privileges. The vulnerability is due to improper parsing of command line parameters that may result in a heap-based buffer overflow. An attacke...

Cisco FTD, FMC, and FXOS Software Pluggable Authentication Module Denial of Service Vulnerability

A vulnerability in the configuration of the Pluggable Authentication Module PAM used in Cisco Firepower Threat Defense FTD Software, Cisco Firepower Management Center FMC Software, and Cisco FXOS Software could allow an authenticated, remote attacker to cause a denial of service DoS condition. Th...

Cisco IOS XE Software Arbitrary Code Execution Vulnerability

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to execute persistent code at boot time and break the chain of trust. This vulnerability is due to incorrect validations by boot scripts when specific ROM monitor ROMMON variables are set. An attacker could...

Cisco Unified Communications Manager SQL Injection Vulnerability

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition SME could allow an authenticated, remote attacker to impact the confidentiality of an affected system by executing arbitrary SQL queries. The...

Cisco SD-WAN Solution Privilege Escalation Vulnerability

A vulnerability in the user group configuration of the Cisco SD-WAN Solution could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to a failure to properly validate certain parameters included within the group configuration. An...

Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service DoS condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project releas...

Cisco Firepower Management Center Command Injection Vulnerability

A vulnerability in the web UI of the Cisco Firepower Management Center FMC could allow an authenticated, remote attacker to inject arbitrary commands that are executed with the privileges of the root user of the underlying operating system. The vulnerability is due to insufficient validation of...

Cisco Prime Infrastructure Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient...

Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability

A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance ASA FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerabilit...

Cisco FXOS Software and Firepower Threat Defense Software Command Injection Vulnerabilities

Multiple vulnerabilities in the CLI of Cisco FXOS Software and Cisco Firepower Threat Defense FTD Software could allow an authenticated, local attacker to execute commands on the underlying operating system OS with root privileges. These vulnerabilities are due to insufficient input validation. A...

Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021

On June 1, 2021, Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language SAML Single Sign-On SSO library. This vulnerability could allow an authenticated attacker to impersonate another authorized user when interacting with an application. For a description of thi...

Cisco IC3000 Industrial Compute Gateway Denial of Service Vulnerability

A vulnerability in the web-based management interface of Cisco IC3000 Industrial Compute Gateway could allow an authenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability exists because the affected software improperly manages system...

Cisco IOS XE Software NETCONF and RESTCONF Authentication Bypass Vulnerability

A vulnerability in the authentication, authorization, and accounting AAA function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following: Install, manipulate, or delete the configuration of an affected...

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition SME could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based interface. The...

Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability

A vulnerability in the web-based management interface of Cisco Data Center Network Manager DCNM could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could...

Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability

A vulnerability in the Network Address Translation NAT Session Initiation Protocol SIP Application Layer Gateway ALG of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper processing of SIP packets in...

Cisco SD-WAN Solution Buffer Overflow Vulnerability

A vulnerability in the vContainer of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to cause a denial of service DoS condition and execute arbitrary code as the root user. The vulnerability is due to improper bounds checking by the vContainer. An attacker could exploit th...

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerability

A vulnerability in the Universal Plug-and-Play UPnP service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service DoS...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software FTP Inspection Denial of Service Vulnerability

A vulnerability in the FTP inspection engine of Cisco Adaptive Security ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability is due to insufficient validatio...

Cisco Data Center Network Manager Authentication Bypass Vulnerability

A vulnerability in the web-based management interface of Cisco Data Center Network Manager DCNM could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session...

Cisco IOS and IOS XE Software Network Plug-and-Play Agent Certificate Validation Vulnerability

A vulnerability in the Cisco Network Plug-and-Play PnP agent of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. The vulnerability exists because the affected software insufficiently validates certificates...

Cisco NX-OS Software ICMP Version 6 Memory Leak Denial of Service Vulnerability

A vulnerability in ICMP Version 6 ICMPv6 processing in Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a slow system memory leak, which over time could lead to a denial of service DoS condition. This vulnerability is due to improper error handling when an...

Cisco Wireless LAN Controller Secure Shell Denial of Service Vulnerability

A vulnerability in the Secure Shell SSH session management for Cisco Wireless LAN Controller WLC Software could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability exists because the SSH process is not properly deleted when...

Cisco SD-WAN Solution Arbitrary File Overwrite Vulnerability

A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. The vulnerability is due to improper input validation of the save command in the CLI of the affected software. An...

Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II

On October 16, 2017, a research paper with the title “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” was made publicly available. This paper discusses seven vulnerabilities affecting session key negotiation in both the Wi-Fi Protected Access WPA and the Wi-Fi Protected Access II WPA2...

Cisco NX-OS Software system login block-for Denial of Service Vulnerability

A vulnerability in the implementation of the system login block-for command for Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a login process to unexpectedly restart, causing a denial of service DoS condition. This vulnerability is due to a logic error in the...

Cisco Application Policy Infrastructure Controller Arbitrary File Read and Write Vulnerability

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller APIC and Cisco Cloud Application Policy Infrastructure Controller Cloud APIC could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system. This vulnerability is due t...

Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability

A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters...

Cisco Firepower Threat Defense Software Multi-instance Container Escape Vulnerabilities

Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense FTD Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to...

Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability

A vulnerability in the Session Initiation Protocol SIP protocol implementation of Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. The vulnerability is due...

Cisco TelePresence VCS and Expressway High CPU Utilization Vulnerability

A vulnerability in the SIP code of Cisco TelePresence Video Communication Server VCS and Cisco Expressway could allow an unauthenticated, remote attacker to cause high memory consumption and CPU utilization, which could cause some services to become unavailable and degrade performance. The...

Cisco Firepower System Software Detection Engine RTF and RAR Malware and File Policy Bypass Vulnerabilities

Multiple vulnerabilities in the Cisco Firepower System Software Detection Engine could allow an unauthenticated, remote attacker to bypass configured Malware and File Policies for RTF and RAR file types. For more information about these vulnerabilities, see the Details "details" section of this...

Cisco DNA Center Authentication Bypass Vulnerability

A vulnerability in Cisco Digital Network Architecture DNA Center could allow an unauthenticated, adjacent attacker to bypass authentication and access critical internal services. The vulnerability is due to insufficient access restriction to ports necessary for system operation. An attacker could...

BlackBerry QNX-2021-001 Vulnerability Affecting Cisco Products: August 2021

On August 17, 2021, BlackBerry released a security advisory, QNX-2021-001 "https://support.blackberry.com/kb/articleDetail?articleNumber=000082334", that disclosed an integer overflow vulnerability in the following BlackBerry software releases: QNX Software Development Platform SDP – 6.5.0SP1 and...

Cisco FXOS and NX-OS Software Unidirectional Link Detection Denial of Service and Arbitrary Code Execution Vulnerability

A vulnerability in the Unidirectional Link Detection UDLD feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code with administrative privileges or cause a denial of service DoS condition on an affected device. This...

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities

Multiple vulnerabilities in the Universal Plug and Play UPnP service and the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow a remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. For more...

Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability

A vulnerability in Security Group Tag Exchange Protocol SXP in Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the affected device to reload, resulting in a denial of service DoS condition. The vulnerability exists becau...

Cisco Prime Service Catalog Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the...

Cisco AMP Threat Grid API Key Information Disclosure Vulnerability

A vulnerability in Cisco AMP Threat Grid could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to unsafe creation of API keys. An attacker could exploit this vulnerability by using insecure credentials to gain unauthorized access to the affected...