5218 matches found
Cisco UCS Central Arbitrary Command Execution Vulnerability
A vulnerability in an operations script of Cisco UCS Central could allow an authenticated, remote attacker to execute arbitrary shell commands with the privileges of the daemon user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by posting...
Cisco Unified Communications Manager Information Disclosure Vulnerability
A vulnerability in Cisco Unified Communications Manager could allow an authenticated, remote attacker to access sensitive information on an affected system. The vulnerability exists because the affected software improperly validates user-supplied search input. An attacker could exploit this...
Cisco Aggregation Services Router 9000 Series IPv6 Fragment Header Denial of Service Vulnerability
A vulnerability in the IPv6 subsystem of Cisco IOS XR Software Release 5.3.4 for the Cisco Aggregation Services Router ASR 9000 Series could allow an unauthenticated, remote attacker to trigger a reload of one or more Trident-based line cards, resulting in a denial of service DoS condition. The...
Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability
Update from February 5, 2018: After further investigation, Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code versions are now available. Please see the Fixed...
Cisco Web Security Appliance Reflected Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The vulnerability is due to...
Cisco Prime Infrastructure Privilege Escalation Vulnerability
A vulnerability in the role-based access control RBAC functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to perform a privilege escalation in which one virtual domain user can view and modify another virtual domain configuration. The vulnerability is due to ...
Cisco WAP150 Wireless Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco WAP150 Wireless-AC/N Dual Radio Access Point with Power over Ethernet PoE and WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attac...
Cisco Elastic Services Controller Information Disclosure Vulnerability
A vulnerability in the ConfD server of the Cisco Elastic Services Controller ESC could allow an unauthenticated, local attacker to access sensitive information on a targeted system. The vulnerability is due to insufficient security restrictions. An attacker could exploit this vulnerability by...
Cisco WebEx Meetings Server Information Disclosure Vulnerability
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to access sensitive data about the application. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The vulnerability is due to a design flaw i...
Cisco Identity Services Engine DOM Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a Document Object Model DOM cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The...
Cisco Small Business 300 and 500 Series Managed Switches HTTP Response Splitting Vulnerability
A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation ...
Cisco UCS Central Software IPv6 Denial of Service Vulnerability
A vulnerability in IPv6 ingress packet processing for Cisco UCS Central Software could allow an unauthenticated, remote attacker to cause a denial of service DoS condition due to high CPU utilization on the targeted device. The vulnerability is due to insufficient rate limiting protection for IPv...
Cisco Email Security and Content Security Management Appliance Privilege Escalation Vulnerability
A vulnerability in the administrative shell of the Cisco Email Security Appliance ESA and Content Security Management Appliance SMA could allow an authenticated, local attacker to escalate their privilege level and gain root access. The attacker has to have a valid user credential with at least a...
Cisco NX-OS Software Pong Packet Denial of Service Vulnerability
A vulnerability in the Pong tool of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service DoS condition. The vulnerability exists because the affected software attempts to free the same area of memory twice...
Cisco NX-OS System Software Management Interface Denial of Service Vulnerability
A vulnerability in management interface access control list ACL configuration of Cisco NX-OS System Software could allow an unauthenticated, remote attacker to bypass configured ACLs on the management interface. This could allow traffic to be forwarded to the NX-OS CPU for processing, leading to...
Cisco WebEx Meetings Server Remote Account Disabling Vulnerability
A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to access the remote support account even after it has been disabled via the web application. The vulnerability is due to a design flaw in Cisco WebEx Meetings Server, which would not disable access to...
Cisco Prime Infrastructure Open Redirect Vulnerability
A vulnerability in the web interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. The vulnerability is due to improper input validation of the parameters in the HTTP request. An attacker could exploit this vulnerability ...
Cisco WebEx Meetings Server Information Disclosure Vulnerability
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to collect customer files via an out-of-band XML External Entity XXE injection. An attacker could exploit this vulnerability to gain information to conduct additional reconnaissance attacks. The...
Cisco WebEx Meetings Server Information Disclosure Vulnerability
A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to access sensitive data about the application. An attacker could exploit this vulnerability to obtain information to conduct additional reconnaissance attacks. The vulnerability is due to a design flaw i...
Cisco IOS Software for Industrial Ethernet 4010 Series Switches Test Command Arbitrary Code Execution and Denial of Service Vulnerability
A vulnerability in one of the diagnostic test CLI commands on Cisco Industrial Ethernet 4010 Series Switches running Cisco IOS Software could allow an authenticated, local attacker to impact the stability of the device. This could result in arbitrary code execution or a denial of service DoS...
Cisco Unified Communications Manager Information Disclosure Vulnerability
A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data. The vulnerability is due to insufficient protection of database tables. An attacker could exploit this vulnerability by browsing to a specific URL. ...
Cisco D9800 Network Transport Receiver OS Command Injection Vulnerability
A vulnerability in the web management GUI of the Cisco D9800 Network Transport Receiver could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of GUI command arguments. An attacker could exploit this...
Cisco AnyConnect Profile Editor XML External Entity Injection Vulnerability
A vulnerability in the Profile Editor of the Cisco AnyConnect Secure Mobility Client could allow an unauthenticated, local attacker to have read and write access to information stored in the affected system. The vulnerability is due to improper handling of the XML External Entity XXE entries when...
Cisco Small Business 300 and 500 Series Managed Switches Cross-Site Scripting Vulnerability
A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting XSS attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input...
Cisco NX-OS System Software Unauthorized User Account Deletion Vulnerability
A vulnerability in the network-operator user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The network-operator role should not be able to delete other configured users on the device. The vulnerability is...
Cisco Unified Customer Voice Portal Denial of Service Vulnerability
A vulnerability in the application server of the Cisco Unified Customer Voice Portal CVP could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on the affected device. The vulnerability is due to malformed SIP INVITE traffic received on the CVP during...
Cisco StarOS CLI Command Injection Vulnerability
A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series routers could allow an authenticated, local attacker to execute arbitrary commands with root privileges on an affected host operating system. The vulnerability is due to insufficient validation of...
Cisco Prime Service Catalog Cross-Site Request Forgery Vulnerability
A vulnerability in the web framework of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to execute unwanted actions on an affected device. The vulnerability is due to a lack of cross-site request forgery CSRF protection. An attacker could exploit this vulnerability by...
Cisco Policy Suite Unauthenticated Information Disclosure Vulnerability
A vulnerability in the Policy and Charging Rules Function PCRF of the Cisco Policy Suite CPS could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional reconnaissance attacks. The attacker would also have to have access ...
Cisco Enterprise License Manager Information Disclosure Vulnerability
A vulnerability in the web framework of Cisco Enterprise License Manager could allow an unauthenticated, remote attacker to view sensitive data. The vulnerability is due to insufficient protection of database tables. An attacker could exploit this vulnerability by browsing to a specific URL. An...
Cisco Unified Communications Manager Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to perform a cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The vulnerability is due to...
CPU Side-Channel Information Disclosure Vulnerabilities
On January 3, 2018, researchers disclosed three vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged...
Cisco WebEx Network Recording Player Buffer Overflow Vulnerability
A vulnerability in Cisco WebEx Network Recording Player for Advanced Recording Format ARF files could allow a local attacker to execute arbitrary code on the system of a user. The attacker could exploit this vulnerability by sending the user a link or email attachment with a malicious ARF file an...
Cisco WebEx Advanced Recording Format Player Remote Code Execution Vulnerability
A vulnerability in Cisco WebEx Network Recording Player for Advanced Recording Format ARF files could allow a remote attacker to execute arbitrary code on the system of a targeted user. The attacker could exploit this vulnerability by sending the user a link or email attachment with a malicious A...
Bleichenbacher Attack on TLS Affecting Cisco Products: December 2017
On December 12, 2017, a research paper with the title Return of Bleichenbacher's Oracle Threat was made publicly available. This paper describes how some Transport Layer Security TLS stacks are vulnerable to variations of the classic Bleichenbacher attack on RSA key exchange. Multiple...
Cisco NX-OS System Software Image Signature Bypass Vulnerability
A vulnerability in Cisco NX-OS System Software could allow an authenticated, local attacker to bypass signature verification when loading a software image. The vulnerability is due to insufficient NX-OS signature verification for software images. An authenticated, local attacker could exploit thi...
Cisco WebEx Event Center Information Disclosure Vulnerability
A vulnerability in Cisco WebEx Event Center could allow an authenticated, remote attacker to view unlisted meeting information. The vulnerability is due to a design flaw in the product. An attacker could execute a query on an Event Center site to view scheduled meetings. A successful query would...
Cisco WebEx Meeting Server Unauthorized Welcome Message Modification Vulnerability
A vulnerability in Cisco WebEx Meeting Server could allow an unauthenticated, remote attacker to modify the welcome message of a meeting on an affected system. The vulnerability is due to insufficient security settings on meetings. An attacker could exploit this vulnerability by modifying the...
Cisco Secure Access Control System Information Disclosure Vulnerability
A vulnerability in the web-based interface of Cisco Secure Access Control System ACS could allow an unauthenticated, remote attacker to view sensitive information on an affected system. The vulnerability exists because the affected software does not sufficiently protect system software version...
Cisco Multilayer Director, Nexus 7000 Series, and Nexus 7700 Series Switches Bash Shell Unauthorized Access Vulnerability
A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated, local attacker to access the Bash shell of an affected device's operating system, even if the Bash...
Cisco Unified Communications Manager Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The vulnerability is due to...
Multiple Vulnerabilities in Cisco UCS Central Software
Multiple vulnerabilities in the web-based management interface of Cisco UCS Central Software could allow a remote attacker to conduct a cross-site scripting XSS attack against a user of the affected interface or hijack a valid session ID from a user of the affected interface. For more information...
Cisco WebEx Meeting Center Cross-Site Scripting Vulnerability
A vulnerability in Cisco WebEx Meeting Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of an affected system. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the...
Cisco NX-OS System Software Interactive TCL Shell Escape Vulnerability
A vulnerability in the TCL scripting subsystem of Cisco NX-OS System Software could allow an authenticated, local attacker to escape the interactive TCL shell and gain unauthorized access to the underlying operating system of the device. The vulnerability exists due to insufficient input validati...
Cisco Nexus Series Switches CLI Command Injection Vulnerability
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command arguments to the CLI parser. An attacker could exploit this vulnerability by injecting...
Cisco NX-OS System Software CLI Command Injection Vulnerability
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command arguments to the CLI parser. An attacker could exploit this vulnerability by injecting...
Cisco NX-OS System Software CLI Command Injection Vulnerability
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting crafted command...
Cisco NX-OS System Software Patch Installation Arbitrary File Write Vulnerability
A vulnerability in Cisco NX-OS System Software patch installation could allow an authenticated, local attacker to write a file to arbitrary locations. The vulnerability is due to insufficient restrictions in the patch installation process. An attacker could exploit this vulnerability by installin...
Cisco Meeting Server Denial of Service Vulnerability
A vulnerability in Cisco Meeting Server versions prior to 2.2.2 could allow an authenticated, remote attacker to cause the system to reload, resulting in a denial of service DoS condition. The vulnerability is due to video calls being made on systems with a particular configuration. An attacker...
Cisco NX-OS System Software CLI Arbitrary File Read Vulnerability
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to read the contents of arbitrary files. The vulnerability is due to insufficient input validation for a specific CLI command. An attacker could exploit this vulnerability by issuing a crafted...