SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software

The Simple Network Management Protocol SNMP subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these...

Cisco StarOS for ASR 5000 Series Routers IPsec VPN Tunnel Denial of Service Vulnerability

A vulnerability in the IPsec component of Cisco StarOS for Cisco ASR 5000 Series Routers could allow an unauthenticated, remote attacker to terminate all active IPsec VPN tunnels and prevent new tunnels from establishing, resulting in a denial of service DoS condition. The vulnerability is due to...

Cisco Firepower Management Center Cross-Site Scripting Vulnerability

A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web interface. The vulnerability is due to insufficient validation of user-supplied input by the affected...

Cisco Identity Services Engine Reflected Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to conduct a reflective cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The vulnerability is due to...

Cisco Unified Contact Center Express Clear Text Authentication Vulnerability

A vulnerability in the Extensible Messaging and Presence Protocol XMPP service of Cisco Unified Contact Center Express UCCx could allow an unauthenticated, remote attacker to masquerade as a legitimate user. The vulnerability is due to the XMPP service incorrectly processing an unsecured HTTP por...

Cisco WebEx Network Recording Player Multiple Buffer Overflow Vulnerabilities

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network Recording Player for Advanced Recording Format ARF files. An attacker could exploit these vulnerabilities by providing a user with a malicious ARF file via email or URL and convincing the user to launch the file. Exploitati...

Cisco Prime Infrastructure and Evolved Programmable Network Manager DOM Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure PI and Evolved Programmable Network Manager EPNM could allow an unauthenticated, remote attacker to conduct a Document Object Model DOM based environment or client-side cross-site scripting XSS attack against a us...

Cisco Prime Infrastructure Web Framework Code Cross-Site Scripting Vulnerability

A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of some...

Cisco IOS XR Software Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to elevate privileges to the root level. The vulnerability is due to incorrect permission settings on binary files in the affected software. An attacker could exploit this vulnerability by sending...

Cisco Firepower Management Center Cross-Site Scripting Vulnerability

A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web interface. The vulnerability is due to insufficient validation of user-supplied input by the affected...

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

A vulnerability in the web application interface of the Cisco Identity Services Engine ISE portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting XSS attack against a user of the web interface of an affected system. The vulnerability is due to insufficient...

Cisco IOS XR Software Local Command Injection Vulnerability

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands on the host operating system with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending...

Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL Injection Vulnerability

A vulnerability in the Cisco Prime Infrastructure PI and Evolved Programmable Network Manager EPNM SQL database interface could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries. The vulnerability is due to a...

Cisco Wide Area Application Services TCP Fragment Denial of Service Vulnerability

A vulnerability in the ingress processing of fragmented TCP packets by Cisco Wide Area Application Services WAAS could allow an unauthenticated, remote attacker to cause the WAASNET process to restart unexpectedly, causing a denial of service DoS condition. The vulnerability is due to incomplete...

Cisco Prime Infrastructure and Evolved Programmable Network Manager XML Injection Vulnerability

A vulnerability in the web-based user interface of Cisco Prime Infrastructure PI and Evolved Programmable Network Manager EPNM could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker mu...

Cisco Prime Collaboration Provisioning Tool Session Hijacking Vulnerability

A vulnerability in the web application in the Cisco Prime Collaboration Provisioning tool could allow an unauthenticated, remote attacker to hijack another user's session. The vulnerability is due to insufficient session management during user authentication. An attacker could exploit this...

Cisco SocialMiner Cross-Site Scripting Vulnerability

A vulnerability in the web framework of Cisco SocialMiner could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation. An attacker could exploit th...

Cisco Firepower Management Center Stored Cross-Site Scripting Vulnerability

A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web interface. The vulnerability is due to insufficient validation of user-supplied input by the affected...

Cisco Prime Collaboration Provisioning Tool Information Disclosure Vulnerability

A vulnerability in the filesystem of the Cisco Prime Collaboration Provisioning tool could allow an authenticated, local attacker to acquire sensitive information. The vulnerability is due to insecure file permissions. A successful exploit could allow the attacker to access sensitive information...

Cisco Prime Infrastructure and Evolved Programmable Network Manager Reflected Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Infrastructure PI and Evolved Programmable Network Manager EPNM could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting XSS attack against a user of the web-based management interface of an...

Cisco Virtualized Packet Core-Distributed Instance Denial of Service Vulnerability

A vulnerability in the ingress UDP packet processing functionality of Cisco Virtualized Packet Core-Distributed Instance VPC-DI Software could allow an unauthenticated, remote attacker to cause both control function CF instances on an affected system to reload, resulting in a denial of service Do...

Cisco Prime Collaboration Provisioning Tool Arbitrary File Download Vulnerability

A vulnerability in the web application in the Cisco Prime Collaboration Provisioning tool could allow an authenticated, remote attacker to perform arbitrary file downloads that could allow the attacker to read files from the underlying filesystem. The vulnerability is due to insufficient input...

Cisco Prime Infrastructure Web Framework Code Cross-Site Scripting Vulnerabilities

A vulnerability in the web framework code of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of some...

Cisco Prime Collaboration Provisioning Tool Log File Information Disclosure Vulnerability

A vulnerability in the logging subsystem of the Cisco Prime Collaboration Provisioning tool could allow an unauthenticated, local attacker to acquire sensitive information. The vulnerability is due to the logging of sensitive details of specific user actions. An attacker could exploit this...

Cisco Ultra Services Framework Element Manager Insecure Default Password Vulnerability

A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in to the affected device using default credentials present on the system. The vulnerability is due to weak, hard-coded credentials present ...

Cisco Ultra Services Framework Staging Server Insecure Default Credentials Vulnerability

A vulnerability in Cisco Ultra Services Framework Staging Server could allow an authenticated, remote attacker with access to the management network to log in as an admin user of the affected device. The vulnerability is due to weak, hard-coded credentials of the admin user present on the affecte...

Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. The vulnerability is due to insufficient sanitization of commands that are permitted to run from the ConfD...

Cisco Ultra Services Framework Element Manager Insecure Default Account Information Vulnerability

A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker to log in to the device with the privileges of the root user. The vulnerability is due to a user account that has a default and static password. An attacker could exploit this...

Cisco Email Security Appliance Attachment Filter Bypass Vulnerability

A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance ESA could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper input validation of an email with an attachment and...

Cisco Ultra Services Framework AutoVNF VNFStagingView Information Disclosure Vulnerability

A vulnerability in the AutoVNF VNFStagingView class of Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to execute a relative path traversal attack, enabling an attacker to read sensitive files on the system. The vulnerability is due to insufficient sanity checks...

Cisco Ultra Services Framework Element Manager Insecure Default Credentials Vulnerability

A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in as an admin or oper user of the affected device. The vulnerability is due to weak, hard-coded credentials of the admin and oper user...

Cisco NX-OS Software Fibre Channel over Ethernet Denial of Service Vulnerability

A vulnerability in the Fibre Channel over Ethernet FCoE protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service DoS condition when an FCoE-related process unexpectedly reloads. The vulnerability is due to a lack of proper FCoE...

Cisco TelePresence Endpoint Denial of Service Vulnerability

A vulnerability in the Session Initiation Protocol SIP of the Cisco TelePresence Codec TC and Collaboration Endpoint CE Software could allow an unauthenticated, remote attacker to cause a TelePresence endpoint to reload unexpectedly, resulting in a denial of service DoS condition. The vulnerabili...

Cisco Elastic Services Controller Insecure Default Credentials Vulnerability

A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user. The vulnerability is due to the existence of a default, weak, hard-coded password for the Linux admin user of an affected system. A successf...

Cisco IP Phone 8800 Series SIP Denial of Service Vulnerability

A vulnerability in Session Initiation Protocol SIP call handling of Cisco IP Phone 8800 Series devices could allow an unauthenticated, remote attacker to cause a denial of service DoS condition due to the SIP process unexpectedly restarting. All active phone calls are dropped as the SIP process...

Cisco Ultra Services Framework AutoVNF Arbitrary Direction Creation Vulnerability

A vulnerability in the AutoVNF logging function of Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to create arbitrary directories on the affected system. The vulnerability is due to insufficient checks when creating directories on the system. An attacker could...

Cisco Elastic Services Controller Unauthorized Directory Access Vulnerability

A vulnerability in the ConfD server component of Cisco Elastic Services Controllers could allow an authenticated, local attacker to access information stored in the file system of an affected system. The vulnerability exists because the affected component does not sufficiently protect files that...

Cisco Elastic Services Controller Information Disclosure Vulnerability

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive information on an affected system. The vulnerability is due to improper permissions that are set for certain files by the affected service. An attacker could...

Cisco Elastic Services Controller User Credentials Information Disclosure Vulnerability

A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive credentials that are stored in an affected system. The vulnerability exists because the affected software does not sufficiently control access to the...

Cisco Unified Communications Domain Manager Open Redirect Vulnerability

A vulnerability in the web-based GUI of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. The vulnerability is due to improper input validation of HTTP request parameters by the affected software. An attacker...

Cisco Prime Data Center Network Manager Debug Remote Code Execution Vulnerability

A vulnerability in the role-based access control RBAC functionality of Cisco Prime Data Center Network Manager DCNM could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system. The vulnerability is due to the...

Cisco Prime Data Center Network Manager Server Static Credential Vulnerability

A vulnerability in Cisco Prime Data Center Network Manager DCNM Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges...

Cisco Elastic Services Controller Authentication Request Processing Arbitrary Command Execution Vulnerability

A vulnerability in the esclistener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system. The vulnerability is due to insufficient sanitization of arguments that are passed while...

Cisco Elastic Services Controller Insecure Default Password Vulnerability

A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user. The vulnerability is due to the existence of a default, weak, hard-coded password for the Linux root user of an affected system. A successful...

Cisco Industrial Network Director Cross-Site Scripting Vulnerability

A vulnerability in the web interface of Cisco Industrial Network Director could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting XSS attack against an affected system. The vulnerability is due to insufficient validation of certain user-supplied input passed in...

Cisco AnyConnect Local Privilege Escalation Vulnerability

A vulnerability in how DLL files are loaded with Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and run an executable file with privileges equivalent to the Microsoft Windows SYSTEM account. The vulnerability is due to incomplete input...

Cisco Email Security and Content Security Management Appliance Message Tracking Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Email Security Appliance ESA and Cisco Content Security Management Appliance SMA could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an...

Cisco Elastic Services Controller Insecure Default Administrator Credentials Vulnerability

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user. The vulnerability is due to the existence of a default, weak, hard-coded password for the admin user of an affected system. An...

Cisco Ultra Services Platform Information Disclosure Vulnerability

A vulnerability in the ConfD server in Cisco Ultra Services Platform could allow an authenticated, local attacker to view sensitive information. The vulnerability is due to insufficient protection of sensitive files on the system. An attacker could exploit this vulnerability by logging in to the...

Cisco Network Convergence System 5500 Series Routers Local Denial of Service Vulnerability

A vulnerability in the forwarding component of Cisco IOS XR Software for Cisco Network Convergence System NCS 5500 Series Routers could allow an authenticated, local attacker to cause the router to stop forwarding data traffic across Traffic Engineering TE tunnels, resulting in a denial of servic...