Cisco Industrial Network Director Web Services Management Agent Unauthorized Information Disclosure Vulnerability

A vulnerability in the Web Services Management Agent WSMA feature of Cisco Industrial Network Director IND could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509...

Cisco Energy Management Suite Default PostgreSQL Password Vulnerability

A vulnerability in the configuration of a local database installed as part of the Cisco Energy Management Suite CEMS could allow an authenticated, local attacker to access and alter confidential data. The vulnerability is due to the installation of the PostgreSQL database with unchanged default...

Cisco Data Center Network Manager Arbitrary File Download Vulnerability

A vulnerability in the web-based management interface of Cisco Data Center Network Manager DCNM could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacke...

Cisco IOS XR 64-Bit Software for Cisco ASR 9000 Series Aggregation Services Routers Network Isolation Vulnerability

A vulnerability in the sysadmin virtual machine VM on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin VM. The vulnerability is due to incorrect isolation...

Cisco Identity Services Engine Privileged Account Sensitive Information Disclosure Vulnerability

A vulnerability in the Admin portal of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to obtain confidential information for privileged accounts. The vulnerability is due to the improper handling of confidential information. An attacker could exploit this...

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface. The vulnerability is due to insufficient validation of...

Cisco IOS and IOS XE Software IP Ident Denial of Service Vulnerability

A vulnerability in the Ident protocol handler of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability exists because the affected software incorrectly handles memory structures, leading to a NULL pointer dereference...

Cisco Web Security Appliance Decryption Policy Bypass Vulnerability

A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorre...

Cisco SocialMiner Chat Feed Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the chat feed feature of Cisco SocialMiner could allow an unauthenticated, remote attacker to perform cross-site scripting XSS attacks against a user of the web-based user interface of an affected system. These vulnerabilities are due to insufficient sanitization of...

Cisco Meeting Server CLI Command Injection Vulnerability

A vulnerability in the CLI configuration shell of Cisco Meeting Server could allow an authenticated, local attacker to inject arbitrary commands as the root user. The vulnerability is due to insufficient input validation during the execution of a vulnerable CLI command. An attacker with...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability

A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability i...

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The vulnerability exists because the...

Cisco Prime Infrastructure Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient...

Cisco AnyConnect Secure Mobility Client Certificate Bypass Vulnerability

A vulnerability in the certificate management subsystem of Cisco AnyConnect Network Access Manager and of Cisco AnyConnect Secure Mobility Client for iOS, Mac OS X, Android, Windows, and Linux could allow an unauthenticated, remote attacker to bypass the TLS certificate check when downloading...

Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016

Multiple Cisco products incorporate a version of the Network Time Protocol daemon ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service DoS condition or modify the time being advertised...

Cisco IOS XE Software Arbitrary Code Execution Vulnerability

A vulnerability in the boot logic of Cisco IOS XE Software could allow an authenticated, local attacker with level 15 privileges or an unauthenticated attacker with physical access to execute arbitrary code on the underlying Linux operating system of an affected device. This vulnerability is due ...

Cisco Prime Infrastructure Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of the affected software. The vulnerability is due to insufficient...

Cisco Firepower Management Center SQL Injection Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could...

Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based UI web UI of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacke...

Cisco Adaptive Security Appliance and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerability

A vulnerability in the Clientless SSL VPN WebVPN portal of Cisco Adaptive Security Appliance ASA and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an...

Cisco Jabber for Windows DLL Preloading Vulnerability

A vulnerability in the loading mechanism of specific dynamic link libraries in Cisco Jabber for Windows could allow an authenticated, local attacker to perform a DLL preloading attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The...

Vulnerability in Spring Framework Affecting Cisco Products: March 2022

On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ For a description of this vulnerability, see VMware Spring Framework...

Cisco Small Business RV320 and RV325 Dual Gigabit WAN Routers Issues

Cisco firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers is affected by the following issues: Static certificates and keys Hardcoded password hashes Multiple vulnerabilities in third-party software TPS components Static Certificates and Keys Two static X.509 certificates with the...

Cisco IOS and IOS XE Software DHCP Remote Code Execution Vulnerability

The DHCP relay subsystem of Cisco IOS and Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in a denial of...

Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021

Critical Vulnerabilities in Apache Log4j Java Logging Library On December 9, 2021, the following critical vulnerability in the Apache Log4j Java logging library affecting all Log4j2 versions earlier than 2.15.0 was disclosed: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against...

Cisco StarOS Denial of Service Vulnerability

A vulnerability in the internal packet-processing functionality of the Cisco StarOS operating system running on virtual platforms could allow an unauthenticated, remote attacker to cause an affected device to stop processing traffic, resulting in a denial of service DoS condition. The vulnerabili...

Container Privilege Escalation Vulnerability Affecting Cisco Products: February 2019

A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system. The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/ex...

Cisco Expressway Software TURN Server Configuration Issue

The Traversal Using Relays around NAT TURN server component of Cisco Expressway software supports the relay of media connections through a firewall using proxy services. As a result of this feature, interfaces such as the Cisco Expressway web administrative interface may become accessible from...

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition SME could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based interface of the...

Cisco FindIT Network Management Software Static Credentials Vulnerability

A vulnerability in the Cisco FindIT Network Management Software virtual machine VM images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account...

Cisco TelePresence Endpoint Command Shell Injection Vulnerability

A vulnerability in the Cisco Discovery Protocol CDP implementation for the Cisco TelePresence Codec TC and Collaboration Endpoint CE Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to...

Cisco Firepower Management Center Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center FMC software could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of the affected software. The vulnerability is...

Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability

A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service DoS condition. The vulnerability is due to improper validation of packet data. A...

Cisco IOS Software TCP Initial Sequence Number Randomization Improvements

...

Cisco Identity Services Engine Blind SQL Injection Vulnerability

A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An...

Cisco Network Convergence System 1000 Series TFTP Directory Traversal Vulnerability

A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of...

Cisco Identity Services Engine Privilege Escalation Vulnerability

A vulnerability in the administrative web interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to gain additional privileges on an affected device. The vulnerability is due to improper controls on certain pages in the web interface. An attacker could explo...

GNU glibc gethostbyname Function Buffer Overflow Vulnerability

On January 27, 2015, a buffer overflow vulnerability in the GNU C library glibc was publicly announced. This vulnerability is related to the various gethostbyname functions included in glibc and affects applications that call these functions. This vulnerability may allow an attacker to obtain...

Cisco Video Surveillance Manager Appliance Default Password Vulnerability

A vulnerability in Cisco Video Surveillance Manager VSM Software running on certain Cisco Connected Safety and Security Unified Computing System UCS platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has default, static user...

Cisco IOS and IOS XE Software Common Industrial Protocol Privilege Escalation Vulnerability

A vulnerability in the CLI command permissions of Cisco IOS and Cisco IOS XE Software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol CIP and then remotely configure the device as an administrative user. This vulnerability exists because...

Cisco Prime Infrastructure Certificate Validation Vulnerability

A vulnerability in the Identity Services Engine ISE integration feature of Cisco Prime Infrastructure PI could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer SSL tunnel established between ISE and PI. The vulnerability is due to...

Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021

On May 11, 2021, the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation was made public. This paper discusses 12 vulnerabilities in the 802.11 standard. One vulnerability is in the frame aggregation functionality, two vulnerabilities are in the frame...

Cisco Vision Dynamic Signage Director REST API Authentication Bypass Vulnerability

A vulnerability in the REST API interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by...

Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server REST API Server-Side Request Forgery Vulnerability

A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server VCS Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack ...

Cisco Identity Services Engine Logging Cross-Site Scripting Vulnerability

A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of requests stored in the system’s logging database. An attacker could exploit th...

Cisco Firepower Management Center Directory Traversal Vulnerability

A vulnerability in the web-based management interface of Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to perform a directory traversal attack on an affected device. The vulnerability is due to insufficient input validation by the web-based managemen...

Cisco Industrial Network Director Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Industrial Network Director IND could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF...

Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability

A vulnerability in the web interface of the Cisco Adaptive Security Appliance ASA could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service DoS condition. It is also possible on certain software releases that the ASA will...

Cisco Unified Communications Domain Manager Restricted Shell Escape Vulnerability

A vulnerability in the CLI of Cisco Unified Communications Domain Manager Cisco Unified CDM Software could allow an authenticated, local attacker to escape the restricted shell. The vulnerability is due to insufficient input validation of shell commands. An attacker could exploit this vulnerabili...

Cisco Small Business Series Switches HTTP Denial of Service Vulnerability

A vulnerability in the web interface of Cisco Small Business 200, 300, and 500 Series Managed Switches could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability is due to improper validation of requests sent to the web...