Cisco Packet Tracer for Windows DLL Injection Vulnerability

A vulnerability in Cisco Packet Tracer for Windows could allow an authenticated, local attacker to perform a DLL injection attack on an affected device. To exploit this vulnerability, the attacker must have valid credentials on the Windows system. This vulnerability is due to incorrect handling o...

ConfD CLI Secure Shell Server Privilege Escalation Vulnerability

A vulnerability in ConfD could allow an authenticated, local attacker to execute arbitrary commands at the level of the account under which ConfD is running, which is commonly root. To exploit this vulnerability, an attacker must have a valid account on the affected device. The vulnerability exis...

Cisco Intersight Virtual Appliance IPv4 and IPv6 Forwarding Vulnerabilities

Multiple vulnerabilities in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access sensitive internal services from an external interface. These vulnerabilities are due to insufficient restrictions for IPv4 or IPv6 packets that are received on the external...

Cisco Unified Customer Voice Portal Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Unified Customer Voice Portal CVP could allow an unauthenticated, remote attacker to perform a cross-site scripting XSS attack against a user. This vulnerability is due to insufficient input validation of a parameter that is used by t...

Cisco Intersight Virtual Appliance Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Intersight Virtual Appliance could allow an authenticated, remote attacker to conduct a path traversal or command injection attack on an affected system. These vulnerabilities are due to insufficient input validation. An...

Cisco SD-WAN vManage Software Information Disclosure Vulnerability

A vulnerability in the CLI interface of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read arbitrary files on the underlying file system of an affected system. This vulnerability exists because access to sensitive information on an affected system is not sufficient...

Cisco Firepower Device Manager On-Box Software Remote Code Execution Vulnerability

A vulnerability in the REST API of Cisco Firepower Device Manager FDM On-Box Software could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system of an affected device. This vulnerability is due to insufficient sanitization of user input on specific...

Cisco SD-WAN Software Information Disclosure Vulnerability

A vulnerability in the Multiprotocol Label Switching MPLS packet handling function of Cisco SD-WAN Software could allow an unauthenticated, remote attacker to gain access to information stored in MPLS buffer memory. This vulnerability is due to insufficient handling of malformed MPLS packets that...

Cisco Adaptive Security Appliance Software Release 9.16.1 and Cisco Firepower Threat Defense Software Release 7.0.0 IPsec Denial of Service Vulnerability

A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an authenticated, remote attacker or an unauthenticated attacker in a man-in-the-middle position to cause an unexpected reload of the...

Cisco Business Process Automation Privilege Escalation Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation BPA could allow an authenticated, remote attacker to elevate privileges to Administrator. These vulnerabilities are due to improper authorization enforcement for specific features and for access to...

Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to conduct a stored cross-site scripting XSS attack against a user. These vulnerabilities exist because the web-based management interface does not...

Broadcom MediaxChange Vulnerability Affecting Cisco Products: July 2021

A vulnerability in the TrustZone implementation in certain Broadcom MediaxChange firmware was reported by security researchers. To exploit this vulnerability on the affected Cisco products, the attacker would need to dismount the backplate of the device and trigger a specific series of impulses o...

Cisco Adaptive Security Device Manager Remote Code Execution Vulnerability

A vulnerability in the Cisco Adaptive Security Device Manager ASDM Launcher could allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system. This vulnerability is due to a lack of proper signature verification for specific code exchanged between the ASDM and...

Cisco BroadWorks Application Server Information Disclosure Vulnerability

A vulnerability in the XSI-Actions interface of Cisco BroadWorks Application Server could allow an authenticated, remote attacker to access sensitive information on an affected system. This vulnerability is due to improper input validation and authorization of specific commands that a user can...

Cisco Video Surveillance 7000 Series IP Cameras Link Layer Discovery Protocol Memory Leak Vulnerabilities

Multiple vulnerabilities in the Link Layer Discovery Protocol LLDP implementation for Cisco Video Surveillance 7000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service DoS condition on an affected device. These...

Cisco Virtualized Voice Browser Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Virtualized Voice Browser could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not...

Cisco Web Security Appliance Privilege Escalation Vulnerability

A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance WSA could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied XML input for the...

Cisco DNA Center Certificate Validation Vulnerability

A vulnerability in the Cisco Identity Services Engine ISE integration feature of the Cisco DNA Center Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. The vulnerability is due to an incomplete validation of the X.509 certificate used when...

Cisco Meeting Server API Denial of Service Vulnerability

A vulnerability in the API of Cisco Meeting Server could allow an authenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability exists because requests that are sent to the API are not properly validated. An attacker could exploit this...

Cisco Email Security Appliance and Cisco Web Security Appliance Certificate Validation Vulnerability

A vulnerability in the Cisco Advanced Malware Protection AMP for Endpoints integration of Cisco AsyncOS for Cisco Email Security Appliance ESA and Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to intercept traffic between an affected device and the AMP servers...

Cisco Jabber Desktop and Mobile Client Software Vulnerabilities

Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for Mac, and Cisco Jabber for mobile platforms could allow an attacker to access sensitive information or cause a denial of service DoS condition. For more information about these vulnerabilities, see the Details "details" section...

Cisco Small Business 220 Series Smart Switches Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Small Business 220 Series Smart Switches could allow an attacker to do the following: Hijack a user session Execute arbitrary commands as a root user on the underlying operating system Conduct a cross-site scripting XSS attac...

Cisco Unified Intelligence Center Reflected Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not...

Cisco AnyConnect Secure Mobility Client for Windows Denial of Service Vulnerability

A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to cause a denial of service DoS condition on an affected system. This vulnerability is due to uncontrolled memory allocation. An attacker could exploit this vulnerability by copyin...

Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability

A vulnerability in the DLL loading mechanism of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture HostScan Module is installed on the AnyConnect client. This vulnerability is...

Cisco Webex Player Memory Corruption Vulnerability

A vulnerability in Cisco Webex Player for Windows and MacOS could allow an attacker to cause the affected software to terminate or to gain access to memory state information that is related to the vulnerable application. The vulnerability is due to insufficient validation of values in Webex...

Cisco Webex Meetings, Webex Network Recording Player, and Webex Teams DLL Injection Vulnerability

A vulnerability in Cisco Webex Meetings Desktop App for Windows, Cisco Webex Meetings Server, Cisco Webex Network Recording Player for Windows, and Cisco Webex Teams for Windows could allow an authenticated, local attacker to perform a DLL injection attack on an affected device. To exploit this...

Cisco Webex Meetings Client Software Logging Information Disclosure Vulnerability

A vulnerability in logging mechanisms of Cisco Webex Meetings client software could allow an authenticated, local attacker to gain access to sensitive information. This vulnerability is due to unsafe logging of application actions. An attacker could exploit this vulnerability by logging onto the...

Cisco Webex Network Recording Player and Webex Player Memory Corruption Vulnerability

A vulnerability in Cisco Webex Network Recording Player for Windows and MacOS and Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system. The vulnerability is due to insufficient validation of values within Webex recording files formatted ...

Cisco Webex Meetings and Webex Meetings Server File Redirect Vulnerability

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to redirect users to a malicious file. This vulnerability is due to improper validation of URL paths in the application interface. An attacker could exploit this vulnerability b...

Cisco SD-WAN Software Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges on an affected system. This vulnerability exists because the affected software does not properly restrict access to privileged processes. An attacker could exploit this...

Cisco ASR 5000 Series Software Authorization Bypass Vulnerabilities

Multiple vulnerabilities in the authorization process of Cisco ASR 5000 Series Software StarOS could allow an authenticated, remote attacker to bypass authorization and execute a subset of CLI commands on an affected device. For more information about these vulnerabilities, see the Details...

Cisco ThousandEyes Recorder Information Disclosure Vulnerability

A vulnerability in the installer software of Cisco ThousandEyes Recorder could allow an unauthenticated, local attacker to access sensitive information that is contained in the ThousandEyes Recorder installer software. This vulnerability exists because sensitive information is included in the...

Cisco Webex Network Recording Player and Webex Player Memory Corruption Vulnerability

A vulnerability in Cisco Webex Network Recording Player for Windows and MacOS and Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system. This vulnerability is due to insufficient validation of values in Webex recording files that are in...

Cisco Webex Player Memory Corruption Vulnerability

A vulnerability in Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system. This vulnerability is due to insufficient validation of values in Webex recording files that are in Webex Recording Format WRF. An attacker could exploit this...

Cisco Video Surveillance 7000 Series IP Cameras Cisco Discovery Protocol and Link Layer Discovery Protocol Memory Leak Vulnerabilities

Multiple vulnerabilities in the implementation of the Cisco Discovery Protocol and Link Layer Discovery Protocol LLDP for Cisco Video Surveillance 7000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service DoS condition...

Cisco Webex Meetings and Webex Meetings Server Multimedia Sharing Security Bypass Vulnerability

A vulnerability in the multimedia viewer feature of Cisco Webex Meetings and Cisco Webex Meetings Server could allow an authenticated, remote attacker to bypass security protections. This vulnerability is due to unsafe handling of shared content within the multimedia viewer feature. An attacker...

Cisco Common Services Platform Collector Command Injection Vulnerability

A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector CSPC could allow an authenticated, remote attacker to execute arbitrary code. This vulnerability is due to insufficient sanitization of configuration entries. An attacker could exploit this vulnerability by...

Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021

On June 1, 2021, Lasso disclosed a security vulnerability in the Lasso Security Assertion Markup Language SAML Single Sign-On SSO library. This vulnerability could allow an authenticated attacker to impersonate another authorized user when interacting with an application. For a description of thi...

Cisco Finesse Open Redirect Vulnerability

A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to redirect a user to an undesired web page. This vulnerability is due to improper input validation of the URL parameters in an HTTP request that is sent to an affected system. A...

Cisco DNA Spaces Connector Privilege Escalation Vulnerabilities

Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. These vulnerabilities are due to insufficient restrictions during the execution of affected CLI...

Cisco ADE-OS Local File Inclusion Vulnerability

A vulnerability in the restricted shell of Cisco Evolved Programmable Network EPN Manager, Cisco Identity Services Engine ISE, and Cisco Prime Infrastructure could allow an authenticated, local attacker to identify directories and write arbitrary files to the file system. This vulnerability is du...

Cisco Modeling Labs Web UI Command Injection Vulnerability

A vulnerability in the web UI of Cisco Modeling Labs could allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the web application on the underlying operating system of an affected Cisco Modeling Labs server. This vulnerability is due to insufficient...

Cisco DNA Spaces Connector Command Injection Vulnerabilities

Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device. These vulnerabilities are due to insufficient input sanitization when executing affected commands. A high-privileged attacker could...

Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities

Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. These vulnerabilities are due to improper...

Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Command Injection Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Evolved Programmable Network EPN Manager could allow an authenticated, remote attacker to execute arbitrary commands on an affected system. The vulnerability is due to insufficient validation of user-supplied...

Cisco Finesse Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the...

Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021

On May 11, 2021, the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation was made public. This paper discusses 12 vulnerabilities in the 802.11 standard. One vulnerability is in the frame aggregation functionality, two vulnerabilities are in the frame...

Cisco Unified Communications Manager IM & Presence Service SQL Injection Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. These vulnerabilities are due to improper validation of user-submitted...

Cisco AnyConnect Secure Mobility Client Profile Modification Vulnerability

A vulnerability in the interprocess communication IPC channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to overwrite VPN profiles on an affected device. The vulnerability is due to insufficient validation of user-supplied input. An attacker...