Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway Software

Cisco TelePresence Video Communication Server VCS and Cisco Expressway Software includes the following vulnerabilities: Cisco TelePresence VCS and Cisco Expressway Crafted Packets Denial of Service Vulnerability Cisco TelePresence VCS and Cisco Expressway SIP IX Filter Denial of Service...

Cisco Adaptive Security Appliance SSL VPN Authentication Bypass Vulnerability

A vulnerability in the SSL VPN code could allow an unauthenticated, remote attacker to access the SSL VPN portal web page. The vulnerability is due to improper handling of authentication cookies when the Cisco ASA SSL VPN feature is enabled. An attacker could exploit this vulnerability by manuall...

Cisco ISE Unprivileged Support Bundle Download Vulnerability

A vulnerability in the role-based access control code of the Cisco Identity Services Engine ISE could allow an authenticated, but unprivileged, remote attacker to access support bundle information. The vulnerability is due to a failure to check the user privileges correctly when downloading the...

Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers

Cisco IOS XE Software for 1000 Series Aggregation Services Routers ASR contains the following denial of service DoS vulnerabilities: Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability Cisco IOS XE...

Multiple Vulnerabilities in Cisco Unified MeetingPlace Solution

Cisco Unified MeetingPlace Application Server contains an authentication bypass vulnerability and Cisco Unified MeetingPlace Web Conferencing Server contains an arbitrary login vulnerability. For both vulnerabilities, successful exploitation could allow an unauthenticated, remote attacker to...

Cisco IOS Software Network Address Translation Denial of Service Vulnerability

Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of a vulnerable device. The vulnerability is due to improper translation of valid Session Initiation Protocol SIP packets across a Network Address Translation NAT boundary. An attack...

Cisco IOS Software Smart Install Remote Code Execution Vulnerability

A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Cisco has released software updates that address this vulnerability. There are no...

Cisco Unified Communications Disaster Recovery Framework Command Execution Vulnerability

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES TH...

Cisco IOS XE Software Auxiliary Asynchronous Port Denial of Service Vulnerability

A vulnerability in auxiliary asynchronous port AUX functions of Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload or stop responding. This vulnerability is due to the incorrect handling of specific ingress traffic when flow control hardware i...

Cisco IOS Software for Catalyst 6000 Series Switches Denial of Service Vulnerability

A vulnerability in Cisco IOS Software for Cisco Catalyst 6000 Series Switches could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly. This vulnerability is due to improper handling of process-switched traffic. An attacker could exploit this...

Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to perform a stored cross-site scripting XSS attack against a user of the interface on an affected device. This vulnerability exists because the web-based...

Apache Struts Vulnerability Affecting Cisco Products: December 2023

On December 7, 2023, the following vulnerability in Apache Struts was disclosed: CVE-2023-50164: An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. For...

Cisco NX-OS Software TACACS+ or RADIUS Remote Authentication Directed Request Denial of Service Vulnerability

A vulnerability in TACACS+ and RADIUS remote authentication for Cisco NX-OS Software could allow an unauthenticated, local attacker to cause an affected device to unexpectedly reload. This vulnerability is due to incorrect input validation when processing an authentication attempt if the directed...

Cisco Webex Meetings Web UI Vulnerabilities

Multiple vulnerabilities in the web UI of Cisco Webex Meetings could allow a remote attacker to conduct stored cross-site scripting XSS or cross-site request forgery CSRF attacks. For more information about these vulnerabilities, see the Details "details" section of this advisory. Cisco has...

Cisco Unified Communications Manager IM & Presence Service Denial of Service Vulnerability

A vulnerability in the XCP Authentication Service of the Cisco Unified Communications Manager IM & Presence Service Unified CM IM&P could allow an unauthenticated, remote attacker to cause a temporary service outage for all Cisco Unified CM IM&P users who are attempting to authenticate to the...

Cisco Identity Services Engine Privilege Escalation Vulnerabilities

Multiple vulnerabilities in specific Cisco Identity Services Engine ISE CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit these vulnerabilities, an attacker must have valid...

Cisco FirePOWER Software for ASA FirePOWER Module, Firepower Management Center Software, and NGIPS Software SNMP Default Credential Vulnerability

A vulnerability in the Simple Network Management Protocol SNMP access controls for Cisco FirePOWER Software for Adaptive Security Appliance ASA FirePOWER module, Cisco Firepower Management Center FMC Software, and Cisco Next-Generation Intrusion Prevention System NGIPS Software could allow an...

Cisco IOS XE Software Web UI Command Injection Vulnerability

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input...

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers IPSec VPN Server Authentication Bypass Vulnerability

A vulnerability in the IPSec VPN Server authentication functionality of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to bypass authentication controls and access the IPSec VPN network. This vulnerability is due to the improper...

Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Software AnyConnect SSL VPN Denial of Service Vulnerability

A vulnerability in the implementation of the Datagram TLS DTLS protocol in Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to cause high CPU utilization, resulting in a denial of service DoS condition...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Denial of Service Vulnerabilities

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to trigger a denial of service DoS condition. These vulnerabilities are due to improper input...

Cisco IOS XE SD-WAN Software Privilege Escalation Vulnerability

A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to elevate privileges and execute arbitrary code on the underlying operating system as the root user. An attacker must be authenticated on an affected device as a PRIV15 user. This vulnerability i...

Cisco ASR 5000 Series Software (StarOS) ipsecmgr Process Denial of Service Vulnerability

A vulnerability in the ipsecmgr process of Cisco ASR 5000 Series Software StarOS could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. This vulnerability is due to insufficient validation of incoming Internet Key Exchange Version 2 IKEv2 packets. An attacker...

Cisco SD-WAN Information Disclosure Vulnerability

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to access sensitive information on an affected device. The vulnerability is due to insufficient input validation of requests that are sent to the iperf tool. An attacker could exploit this vulnerabili...

Cisco Unified Communications Products Information Disclosure Vulnerability

A vulnerability in the audit logging component of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, Cisco Emergency Responder, and Cisco Prime License Manager...

Cisco Connected Mobile Experiences User Enumeration Vulnerability

A vulnerability in Cisco Connected Mobile Experiences CMX API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this...

Cisco DNA Center Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco DNA Center software could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface of an affected device. The vulnerability exists because the web-based management interface...

Cisco Enterprise NFV Infrastructure Software Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software NFVIS could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface. The vulnerability is due to improper input...

Cisco Proximity Desktop for Windows DLL Hijacking Vulnerability

A vulnerability in the loading process of specific DLLs in Cisco Proximity Desktop for Windows could allow an authenticated, local attacker to load a malicious library. To exploit this vulnerability, the attacker must have valid credentials on the Windows system. This vulnerability is due to...

Cisco Webex Meetings and Cisco Webex Meetings Server Host Key Brute Forcing Vulnerability

A vulnerability in the reclaim host role feature of Cisco Webex Meetings and Cisco Webex Meetings Server could allow an authenticated, remote attacker to take over the host role during a meeting. This vulnerability is due to a lack of protection against brute forcing of the host key. An attacker...

Cisco Secure Web Appliance Privilege Escalation Vulnerability

A vulnerability in the log subscription subsystem of Cisco AsyncOS for the Cisco Secure Web Appliance formerly Web Security Appliance could allow an authenticated, local attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of...

Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to view sensitive information from the meeting room lobby. This vulnerability is due to insufficient protection of sensitive participant information. An attacker could exploit...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software OSPFv2 Link-Local Signaling Denial of Service Vulnerability

Update from October 22nd, 2020: Cisco has become aware of a new Cisco Adaptive Security Appliance vulnerability that could affect the fixed releases recommended for code trains 9.13 and 9.14 in the Fixed Software "fs" section of this advisory. See the Cisco Adaptive Security Appliance Software...

Cisco NX-OS Software Border Gateway Protocol Multicast VPN Denial of Service Vulnerability

A vulnerability in the Border Gateway Protocol BGP Multicast VPN MVPN implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected device to unexpectedly reload, resulting in a denial of service DoS condition. The vulnerability is due to incomplete...

Cisco AMP for Endpoints and ClamAV Privilege Escalation Vulnerability

A vulnerability in the endpoint software of Cisco AMP for Endpoints and Clam AntiVirus could allow an authenticated, local attacker to cause the running software to delete arbitrary files on the system. The vulnerability is due to a race condition that could occur when scanning malicious files. A...

Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability

A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to bypass certain security boundaries or cause a denial of service DoS condition on an affected device. The vulnerability is due to the affected device unexpectedly decapsulating and...

Cisco Prime Collaboration Provisioning Software SQL Injection Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Collaboration Provisioning Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Malformed OSPF Packets Processing Denial of Service Vulnerability

A vulnerability in the Open Shortest Path First OSPF implementation of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to cause the reload of an affected device, resulting in a denial of service DoS...

Cisco Email Security Appliance Denial of Service Vulnerability

A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliance ESA could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service DoS condition on an affected device. The...

Cisco Webex Network Recording Admin Page Privilege Escalation Vulnerability

A vulnerability in the Webex Network Recording Admin page of Cisco Webex Meetings could allow an authenticated, remote attacker to elevate privileges in the context of the affected page. To exploit this vulnerability, the attacker must be logged in as a low-level administrator. The vulnerability ...

Cisco Application Policy Infrastructure Controller Recoverable Encryption Key Vulnerability

A vulnerability in Cisco Application Policy Infrastructure Controller APIC Software could allow an unauthenticated, local attacker with physical access to obtain sensitive information from an affected device. The vulnerability is due to insecure removal of cleartext encryption keys stored on loca...

Cisco Aironet Series Access Points Development Shell Access Vulnerability

A vulnerability in the development shell devshell authentication for Cisco Aironet Series Access Points APs running the Cisco AP-COS operating system could allow an authenticated, local attacker to access the development shell without proper authentication, which allows for root access to the...

Cisco NX-OS Software NX-API Command Injection Vulnerability

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to incorrect input validation of user-supplied data by the NX-API subsystem. An attacker could exploit this...

Cisco Email Security Appliance EXE File Scanning Bypass Vulnerability

A vulnerability in certain attachment detection mechanisms of Cisco Email Security Appliances ESA could allow an unauthenticated, remote attacker to bypass the filtering functionality of an affected system. The vulnerability is due to the improper detection of content within executable EXE files...

Cisco Web Security Appliance Web Proxy Memory Exhaustion Denial of Service Vulnerability

A vulnerability in the web proxy functionality of Cisco AsyncOS Software for Cisco Web Security Appliances could allow an unauthenticated, remote attacker to exhaust system memory and cause a denial of service DoS condition on an affected system. The vulnerability exists because the affected...

Cisco Web Security Appliance Privilege Escalation Vulnerability

A vulnerability in the account management subsystem of Cisco Web Security Appliance WSA could allow an authenticated, local attacker to elevate privileges to root. The attacker must authenticate with valid administrator credentials. The vulnerability is due to improper implementation of access...

Cisco SD-WAN Solution Arbitrary File Overwrite Vulnerability

A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. The vulnerability is due to improper input validation of the request admin-tech command in the CLI of the affected...

Cisco FXOS and NX-OS Software Cisco Fabric Services Denial of Service Vulnerability

A vulnerability in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability exists because the affected software insufficiently validates...

Cisco Unity Connection Cross-Site Scripting Vulnerability

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters...

Cisco Adaptive Security Appliance WebVPN Cross-Site Scripting Vulnerability

A vulnerability in the Login screen of the Clientless SSL VPN WebVPN portal of Cisco Adaptive Security Appliance ASA Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an affected device. Th...