Cisco Unity Connection Cross-Site Request Forgery Vulnerability

A cross-site request forgery CSRF vulnerability in Cisco Unity Connection could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of CSRF protections by an affected device. An attacker could exploit this vulnerability by convincing a user to...

Cisco Prime Collaboration Assurance Default Account Credential Vulnerability

A vulnerability in Cisco Prime Collaboration Assurance PCA Software could allow an unauthenticated, remote attacker to log in to the system shell with the default cmuser user account and access the shell with a limited set of permissions. The vulnerability is due to an undocumented account that h...

Vulnerability in Java Deserialization Affecting Cisco Products

A vulnerability in the Java deserialization used by the Apache Commons Collections ACC library could allow an unauthenticated, remote attacker to execute arbitrary code. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could explo...

Cisco TelePresence Video Communication Server Expressway Web Framework Code Unauthorized Access Vulnerability

A vulnerability in the web framework code of Cisco TelePresence Video Communication Server VCS Expressway could allow an authenticated, remote attacker to install Tandberg Linux Packages TLPs without proper authorization. The vulnerability is due to missing authorization checks on certain...

Cisco FirePOWER Management Center Software Version Information Disclosure Vulnerability

A vulnerability in Cisco FirePOWER Management Center could allow an unauthenticated, remote attacker to obtain information about the version of Cisco FirePOWER Management Center software that is running on an affected system. An attacker could use this information to conduct reconnaissance attack...

Multiple Cisco IP Phones Firmware Image Upload Vulnerability

A vulnerability in the TFTP implementation of the Cisco Small Business SPA30X and SPA50X IP Phones could allow an unauthenticated, local attacker to load arbitrary firmware images onto the affected device. The vulnerability is due to insufficient file integrity checks of the firmware image. An...

Cisco Unified Communications Manager Mobile and Remote Access Services Identity Attack Vulnerability

A vulnerability in edge devices of the Cisco Unified Communications Manager using Mobile and Remote Access MRA services could allow an unauthenticated, remote attacker to perform an identity theft attack. The vulnerability is due to improper identity validation of the edge devices. An attacker...

Cisco DPC3939 (XB3) Router Administrative Web Interface Command Injection Vulnerability

A vulnerability in the administrative web interface of the Cisco DPC3939 XB3 router could allow an authenticated, remote attacker to execute arbitrary commands on the affected system and on the devices managed by the system. The vulnerability is due to improper user input validation. An attacker...

Cisco Wireless Residential Unauthorized Command Vulnerability

A vulnerability with web interface access authentication of the Cisco EPC3928 Wireless Residential Gateway could allow an unauthenticated, remote attacker to issue a subset of commands as the administrator without authenticating to the device. The vulnerability is due to lack of authentication...

Cisco Wireless Residential Gateway Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of the Cisco EPC3928 Wireless Residential Gateway could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting XSS attack against a user of the web interface of the affected system. The vulnerability is due to...

Cisco Residential Gateway Devices Cross-Site Request Forgery Vulnerability

A vulnerability in the web interface of Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with Embedded Digital Voice Adapter EDVA could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack against the user of the web interface. The...

Cisco Prime Service Catalog Web Interface Unauthorized Access Vulnerability

A vulnerability in the web interface of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to perform limited configuration changes. The vulnerability is due to missing access controls in some of the web pages that allow configuration changes. An attacker could exploit th...

Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products

On December 3, 2015, the OpenSSL Project released a security advisory detailing five vulnerabilities. Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service DoS...

Cisco Nexus 5000 Series USB Driver Denial of Service Vulnerability

A vulnerability in the USB driver for Cisco Nexus 5000 Series Switches could allow an unauthenticated, local attacker to cause a denial of service DoS condition due to a kernel crash. The vulnerability is due to insufficient handling of USB input parameters. An attacker could exploit this...

Cisco SIP Phone 3905 Resource Limitation Denial of Service Vulnerability

A vulnerability in the Cisco Unified SIP Phone 3905 could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability is due to a resource limitation of the device. An attacker could exploit this vulnerability by sending large...

Cisco Unity Connection Cross-Site Scripting Vulnerability

A vulnerability in the HTTP web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web interface of the affected system. The vulnerability is due to insufficient input validation...

Cisco WebEx Meetings for Android Custom Permissions Vulnerability

A vulnerability in the custom application permissions handling for Cisco WebEx Meetings for Android could allow an unauthenticated, remote attacker to change platform-specific permissions of a custom application. The vulnerability is due to the way custom application permissions are assigned at...

Cisco Unified Computing System Central Software Cross-Site Scripting Vulnerability

A vulnerability in the HTTP web-based management interface of Cisco Unified Computing System UCS Central Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web interface of the affected system. The vulnerability is due to...

Cisco UCS Central Software Server-Side Request Forgery Vulnerability

A vulnerability in the Cisco Unified Computing System UCS Central software could allow an unauthenticated, remote attacker to bypass access controls and conduct a server-side request forgery SSRF on a targeted system. The vulnerability is due to improper validation of user-supplied input on the...

Cisco Cloud Services Router 1000V Command Injection Vulnerability

A vulnerability in the event manager environment and publish-event function of the Cisco Cloud Services Router 1000V Series could allow an authenticated, local attacker to perform a command injection attack with root-level privileges. The vulnerability is due to a lack of proper input validation ...

Cisco Web Security Appliance Native FTP Denial of Service Vulnerability

A vulnerability in the native passthrough FTP functionality of the Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to cause a partial denial of service DoS condition due to high CPU utilization. The vulnerability occurs when the FTP client terminates the FTP contr...

Cisco IOS XE 3S Platforms Series root Shell License Bypass Vulnerability

A vulnerability in one of the diagnostic commands in the Cisco IOS XE operating system for Cisco IOS XE 3S platforms could allow an authenticated, privileged, local attacker to gain restricted root shell access. The root shell is provided for advanced troubleshooting with Cisco Technical Assistan...

Multiple Cisco Products Confidential Information Decryption Man-in-the-Middle Vulnerability

A vulnerability in the cryptographic implementation of multiple Cisco products could allow an unauthenticated, remote attacker to make use of hard-coded certificate and keys embedded within the firmware of the affected device. The vulnerability is due to the lack of unique key and certificate...

Cisco ASR 5000 Series Telnetd Denial of Service Vulnerability

A vulnerability in the Telnet feature of the Cisco Aggregation Services Router ASR 5000 Series could allow an unauthenticated, remote attacker to cause a partial denial of service DoS condition due to an unexpected telnetd process restart. The vulnerability is due to flaws in the Telnet...

Cisco ASA Management Interface XML Parser Denial of Service Vulnerability

A vulnerability in the XML parser of the management interface in Cisco Adaptive Security Appliance ASA Software could allow an authenticated, remote attacker to cause system instability and possibly crash an affected system. The vulnerability is due to insufficient hardening of the XML parser cod...

Cisco Virtual Topology System TCP Connection Functionality Denial of Service Vulnerability

A vulnerability in TCP connection handling by Cisco Virtual Topology System VTS devices could allow an unauthenticated, remote attacker to disable TCP ports and cause a denial of service DoS condition due to high CPU and memory utilization. The vulnerability is due to a lack of rate limiting in t...

Cisco Firepower 9000 Operating System Command Injection Vulnerability

A vulnerability in a user script supplied with Cisco Firepower 9000 could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the authenticated user. The script can be accessed via the web interface. The vulnerability is...

Cisco TelePresence Video Communication Server Cross-Site Request Forgery Vulnerability

A vulnerability in Cisco TelePresence Video Communication Server VCS could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of cross-site request forgery CSRF protections. An attacker could exploit this vulnerability by persuading a user of...

Cisco Networking Services Sensitive Information Disclosure Vulnerability

A vulnerability in the debug logging function of Cisco Networking Services CNS used for configuring Cisco IOS networking devices could allow an authenticated, local attacker to disclose sensitive data. The vulnerability is due to insufficient protections of sensitive data at rest. An attacker...

Cisco Firepower 9000 Series Switch Clickjacking Vulnerability

A vulnerability in the web interface of the Cisco Firepower 9000 Series Switch could allow an unauthenticated, remote attacker to affect the integrity of the device though a clickjacking or phishing attack. The vulnerability is due to the lack of proper input sanitization of iFrame data in the HT...

Cisco Firepower 9000 Cross-Site Request Forgery Vulnerability

A vulnerability in the Cisco Firepower 9000 Series Switch which could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of cross-site request forgery CSRF protection. An attacker could exploit this vulnerability by tricking the user of a web...

Cisco Firepower 9000 USB Kernel Denial of Service Vulnerability

A vulnerability in the USB driver of Cisco Firepower 9000 could allow an unauthenticated, local attacker with physical access to the device to send invalid USB commands to the kernel and cause a denial of service DoS condition. The vulnerability is due to insufficient sanitization of USB input...

Cisco Firepower 9000 Arbitrary File Read Access Script Vulnerability

A vulnerability in a user script supplied with Cisco Firepower 9000 devices could allow an authenticated, remote attacker to view any file on the device, even ones that should be restricted to authenticated users. The vulnerability is due to lack of input validation of the parameters passed to...

Cisco Firepower 9000 Command Injection at Management I/O Command-Line Interface Vulnerability

A vulnerability in the Management I/O MIO command-line interface CLI command execution of Cisco Firepower 9000 devices could allow an authenticated, local attacker to access the underlying operating system and execute commands at the root privilege level. The vulnerability is due to insufficient...

Cisco Firepower 9000 Persistent Cross-Site Scripting Vulnerability

A vulnerability in the HTTP web-based management interface of Cisco Firepower 9000 devices could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the affected system. The vulnerability is due to insufficient input validation of a user-suppli...

Cisco FireSIGHT Management Center Certificate Validation Vulnerability

A vulnerability in the rule update functionality of Cisco FireSIGHT Management Center MC could allow an unauthenticated, remote attacker to manipulate the content of the rule update packages and execute arbitrary code on the system. The vulnerability is due to lack of certificate validation durin...

Cisco Prime Collaboration Assurance Cross-Site Request Forgery Vulnerability

A vulnerability in the web interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack against a user of the web interface. The vulnerability is due to insufficient CSRF protections. An attacker could exploit...

Cisco Firepower 9000 Unauthenticated File Access Vulnerability

A vulnerability in the web interface of the Cisco Firepower 9000 Series Switches could allow an unauthenticated, remote attacker to view certain files on the device that should be restricted. The vulnerability is due to lack of proper authentication checks when a request to download and view a...

Cisco IOS Software Virtual PPP Interfaces Security Bypass Vulnerability

A vulnerability in Cisco devices that are running Cisco IOS Software Release 15.204M or Cisco IOS Software Release 15.403M and are configured to use access control lists ACLs could allow a user who is connected to an authenticated PPP session to bypass ACLs that are configured on virtual PPP...

Cisco Videoscape Distribution Suite Service Manager Information Disclosure Vulnerability

A vulnerability in the Representational State Transfer REST Application Programming Interface API that is used by Cisco Videoscape Distribution Suite Service Manager could allow an unauthenticated, remote attacker to cause an affected device to disclose sensitive information. The vulnerability is...

Cisco Aironet 1800 Series Access Point SSHv2 Denial of Service Vulnerability

A vulnerability in the Secure Shell Version 2 SSHv2 protocol of Cisco Aironet 1800 Series Access Points could allow an unauthenticated, remote attacker to cause a denial of service DoS condition due to high CPU utilization and an accumulation of SSHv2 connections. The vulnerability is due to...

Cisco IOS Software Tunnel Interfaces Security Bypass Vulnerability

A vulnerability in Cisco devices running IOS Software versions 15.204M6 and 15.403S configured with access control lists ACLs could allow an unauthenticated, remote user connected to a tunnel interface to bypass configured ACLs on tunnel interfaces if the ACL on the physical interface permits the...

Cisco FireSight Management Center Web Framework Cross-Site Scripting Vulnerability

A vulnerability in the web framework of Cisco FireSIGHT Management Center MC could allow an authenticated, remote attacker to execute a stored, cross-site scripting XSS attack against a user of the web interface. The vulnerability is due to improper sanitization of parameter values. An attacker...

Cisco Connected Grid Network Management System Privilege Escalation Vulnerability

A vulnerability in the web GUI of Cisco Connected Grid Network Management System could allow an authenticated, remote attacker to perform limited configuration changes while logged in as a user having the Monitor-Only role. The vulnerability is due to insufficient authorization controls. An...

Cisco Web Security Appliance Range Request Denial of Service Vulnerability

A vulnerability in the file-range request functionality of Cisco AsyncOS for Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an appliance because the appliance runs out of system memory. The vulnerability is due to a...

Cisco Mobility Services Engine Static Credential Vulnerability

A vulnerability in the Cisco Mobility Services Engine MSE could allow an unauthenticated, remote attacker to log in to the MSE with the default oracle account. This account does not have full administrator privileges. The vulnerability is due to a user account that has a default and static...

Cisco Web Security Appliance Certificate Generation Command Injection Vulnerability

A vulnerability in the certificate generation process in the admin web interface of the Cisco Web Security Appliance WSA could allow an authenticated, remote attacker to execute arbitrary commands on an affected system with root-level privileges. The vulnerability is due to the improper...

Cisco Mobility Services Engine Privilege Escalation Vulnerability

A vulnerability in the installation procedure of the Cisco Mobility Services Engine MSE appliance could allow an authenticated, local attacker to escalate to the root level. The vulnerability is due to incorrect installation and permissions settings on binary files during the MSE physical or...

Cisco Web Security Appliance Cache Reply Denial of Service Vulnerability

A vulnerability in the proxy cache functionality of Cisco AsyncOS for Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to cause a denial of service DoS condition because the device runs out of system memory. The vulnerability is due to improper memory operations by...

Cisco Email Security Appliance Email Scanner Denial of Service Vulnerability

A vulnerability in the email message filtering feature of Cisco AsyncOS for Cisco Email Security Appliance ESA could allow an unauthenticated, remote attacker to cause an ESA device to become unavailable due to a denial of service DoS condition. The vulnerability is due to improper input validati...