Cisco Secure ACS Portal Session Management Vulnerability

A vulnerability in the portal interface of Cisco Secure Access Control System ACS could allow an authenticated, remote attacker to access the portal with the access capabilities of another user. The vulnerability is due to insufficient session management in the portal. An attacker could exploit...

Cisco TelePresence Video Communication Server Expressway Default SSL Certificate Vulnerability

A vulnerability in the Cisco TelePresence Video Communication Server VCS Expressway could allow an unauthenticated, remote attacker to execute a man-in-the-middle MITM attack between one or more affected devices. The vulnerability occurs because the same default SSL certificate is used across all...

Cisco TelePresence ISDN Gateway D-Channel Denial of Service Vulnerability

Cisco TelePresence ISDN Gateway contains a vulnerability that could allow an unauthenticated, remote attacker to trigger the drop of the data channel D-channel, causing all calls to be terminated and preventing users from making new calls. Cisco has released software updates that address this...

Undocumented Test Interface in Cisco Small Business Devices

A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device. Note: Additional research...

Cisco IOS XE Software Telnet Authentication Bypass Vulnerability

A vulnerability in the vty authentication of Cisco IOS XE Software 03.02.xxSE and 03.03.xxSE only could allow an unauthenticated, remote attacker to access an affected device without authentication and perform actions on the device with the privileges configured for the vty line interface. The...

Multiple Vulnerabilities in Cisco Web Security Appliance

Cisco IronPort AsyncOS Software for Cisco Web Security Appliance is affected by the following vulnerabilities: Two authenticated command injection vulnerabilities Management GUI Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one ...

Cisco IOS Software DHCP Version 6 Server Denial of Service Vulnerability

Cisco IOS Software and Cisco IOS XE Software contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. An attacker could exploit this vulnerability by sending a crafted request to an affected device that has the DHCP version 6 DHCPv6...

Cisco IOS Software RSVP Denial of Service Vulnerability

Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding VRF instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of...

Cisco TelePresence Video Communication Server Session Initiation Protocol Denial of Service Vulnerabilities

Cisco TelePresence Video Communication Servers running software versions prior to X7.0.1 contain vulnerabilities that could allow an attacker to cause a denial of service DoS condition. Cisco has released software updates that address these vulnerabilities. There are no workarounds that mitigate...

Cisco IOS Software Network Time Protocol Packet Vulnerability

Cisco IOS® Software with support for Network Time Protocol NTP version v4 contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service DoS condition on the affected device. Cisco has released software updates that...

Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES TH...

Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES TH...

Crafted TCP Packet Can Cause Denial of Service

Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-crafted-tcp...

Cisco CatOS Telnet Buffer Vulnerability

...

Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability

A vulnerability in Cisco Unified Communications Manager Unified CM and Cisco Unified Communications Manager Session Management Edition Unified CM SME could allow an unauthenticated, remote attacker to conduct server-side request forgery SSRF attacks through an affected device. This vulnerability ...

Cisco IOS XE Software for Wireless LAN Controllers Multicast DNS Denial of Service Vulnerability

A vulnerability in the multicast DNS mDNS gateway feature of Cisco IOS XE Software for Wireless LAN Controllers WLCs could allow an unauthenticated, adjacent attacker to cause a denial of service DoS condition. This vulnerability is due to improper management of mDNS client entries. An attacker...

Cisco Secure Endpoint for Windows Scanning Evasion Vulnerability

A vulnerability in the endpoint software of Cisco Secure Endpoint for Windows could allow an authenticated, local attacker to evade endpoint protection within a limited time window. This vulnerability is due to a timing issue that occurs between various software components. An attacker could...

Cisco Firepower Management Center Software Arbitrary File Download Vulnerability

A vulnerability in the file download feature of Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to download arbitrary files from an affected system. This vulnerability is due to a lack of input sanitation. An attacker could exploit this vulnerability b...

Cisco Access Point Software Uncontrolled Resource Consumption Vulnerability

A vulnerability in the packet processing functionality of Cisco access point AP software could allow an unauthenticated, adjacent attacker to exhaust resources on an affected device. This vulnerability is due to insufficient management of resources when handling certain types of traffic. An...

Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network EPN Manager could allow an authenticated, remote attacker to conduct a stored cross-site scripting XSS attack against a user of the interface on an affected device. This...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN Authorization Bypass Vulnerability

A vulnerability in the authentication and authorization flows for VPN connections in Cisco Adaptive Security Appliance ASA Software and Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to establish a connection as a different user. This vulnerability is due to...

Cisco Touch 10 Devices Downgrade Vulnerability

A vulnerability in the version control of Cisco TelePresence CE Software for Cisco Touch 10 Devices could allow an unauthenticated, adjacent attacker to install an older version of the software on an affected device. This vulnerability is due to insufficient version control. An attacker could...

Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst 9100 Series Access Points UDP Processing Denial of Service Vulnerability

A vulnerability in the UDP processing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst 9100 Series Access Points could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. This vulnerability is due to the improper processing of...

Cisco BroadWorks Application Delivery Platform Software Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack against a user of the interface. This vulnerability exists because the web-based management...

Cisco Webex Meetings Web Interface Vulnerabilities

Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow a remote attacker to conduct a cross-site scripting XSS attack or a frame hijacking attack against a user of the web interface. For more information about these vulnerabilities, see the Details "details" section of...

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service DoS condition. Th...

Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities

Multiple vulnerabilities in the web engine of Cisco Telepresence CE Software and RoomOS Software could allow a remote attacker to cause a denial of service DoS condition, redirect users to an attacker controlled destination or view sensitive data on an affected device. For more information about...

Cisco SD-WAN vManage Software Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as the root user. The attacker must be authenticated on the affected system as a low-privileged user to exploit this...

ConfD CLI Command Injection Vulnerability

A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient validation of a process argument on an affected device. An attacker could exploit this...

Cisco Small Business RV Series Routers Command Injection Vulnerability

A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker with administrative privileges to inject arbitrary commands into the underlying operating system and execute them using root-level privileges. This...

Cisco Embedded Wireless Controller Software for Catalyst Access Points Denial of Service Vulnerability

A vulnerability in the packet processing functionality of Cisco Embedded Wireless Controller EWC Software for Catalyst Access Points APs could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected AP. This vulnerability is due to insufficient buffer...

Cisco Web Security Appliance Privilege Escalation Vulnerability

A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance WSA could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied XML input for the...

Cisco IOS XR Software Unauthorized Information Disclosure Vulnerability

A vulnerability in the CLI parser of Cisco IOS XR Software could allow an authenticated, local attacker to view more information than their privileges allow. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit...

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SIP Denial of Service Vulnerability

Update from October 22nd, 2020: Cisco has become aware of a new Cisco Adaptive Security Appliance vulnerability that could affect the fixed releases recommended for code trains 9.13 and 9.14 in the Fixed Software "fs" section of this advisory. See the Cisco Adaptive Security Appliance Software...

Cisco IOS XE Software IOx Application Hosting Privilege Escalation Vulnerability

A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. The attacker could execute IOS XE commands outside the application-hosting subsystem Docker container as well as on the...

Cisco IOS and IOS XE Software ISDN Q.931 Denial of Service Vulnerability

A vulnerability in the ISDN subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service DoS condition. The vulnerability is due to insufficient input validation when the ISDN...

Cisco Nexus 3000 and 9000 Series Switches Privilege Escalation Vulnerability

A vulnerability in the Enable Secret feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker to issue the enable command and get full administrative privileges. To exploit this vulnerability, the attack...

Cisco SD-WAN vEdge Routers Denial of Service Vulnerability

A vulnerability in the deep packet inspection DPI engine of Cisco SD-WAN vEdge Routers could allow an unauthenticated, adjacent attacker to cause a denial of service DoS condition on an affected system. The vulnerability is due to insufficient handling of malformed packets. An attacker could...

Cisco ASR 5000 Series Aggregation Services Routers Enhanced Charging Service Rule Bypass Vulnerability

A vulnerability in the Enhanced Charging Service ECS functionality of Cisco ASR 5000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass the traffic classification rules on an affected device. The vulnerability is due to insufficient input validation of...

Cisco IOS XE Software Privilege Escalation Vulnerability

A vulnerability in the ROMMON of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to those of the root user of the underlying operating system. The vulnerability is due to the ROMMON allowing for special parameters to be passed to the device at initial boot...

Cisco IOS XE Software Privilege Escalation Vulnerability

A vulnerability in the Virtual Services Container of Cisco IOS XE Software could allow an authenticated, local attacker to gain root-level privileges on an affected device. The vulnerability is due to insufficient validation of a user-supplied open virtual appliance OVA. An attacker could exploit...

Cisco Intelligent Proximity SSL Certificate Validation Vulnerability

A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable...

Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability

A vulnerability in the Cisco Discovery Protocol implementation for Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability exists because the Cisco Discovery Protocol parser does not properly...

Cisco FXOS and NX-OS Software Command Injection Vulnerabilities (CVE-2019-1781, CVE-2019-1782)

Multiple vulnerabilities in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to insufficient validation of arguments passed to...

Cisco Prime Infrastructure and Evolved Programmable Network Manager Path Traversal Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network EPN Manager software could allow an authenticated, remote attacker to download and view files within the application that should be restricted. This vulnerability is due to...

Cisco Video Surveillance Manager Web-Based Management Interface Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Video Surveillance Manager could allow an unauthenticated, remote attacker to access sensitive information. The vulnerability is due to improper validation of parameters handled by the web-based management interface. An attacker could...

Cisco FXOS and NX-OS Software Sensitive File Read Information Disclosure Vulnerability

A vulnerability in the implementation of a CLI diagnostic command in Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to view sensitive system files that should be restricted. The attacker could use this information to conduct additional reconnaissance...

Cisco Firepower Threat Defense Software Command Injection Vulnerability

A vulnerability in the CLI of Cisco Firepower Threat Defense FTD Software could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting commands into argument...

Cisco Unity Connection Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a stored cross-site scripting XSS attack against a user of the web-based interface of the affected software. The vulnerability is due to insufficient validation of...

Cisco HyperFlex UI Clickjacking Vulnerability

A vulnerability in the web UI of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. A...