35 matches found
CVE-2018-0147
CVE-2018-0147 affects Cisco Secure Access Control System (ACS) prior to 5.8 patch 9. The root cause is insecure Java deserialization of user-supplied content, allowing unauthenticated remote attackers to execute arbitrary commands with root privileges on affected devices. Public sources in the co...
CVE-2018-0253
Cisco Secure Access Control System (ACS) is affected by CVE-2018-0253 in the ACS Report component. The issue stems from insufficient validation of the Action Message Format (AMF) protocol, allowing an unauthenticated, remote attacker to execute arbitrary commands on the ACS device, with commands ...
CVE-2013-1125
Summary: CVE-2013-1125 affects Cisco Identity Services Engine Software, Secure Access Control System (ACS), Application Networking Manager (ANM), Prime LAN Management Solution (LMS), Prime Network Control System, Quad, Context Directory Agent, Prime Collaboration, Unified Provisioning Manager, an...
CVE-2013-1196
The CVE-2013-1196 entry involves multiple Cisco products (ACS, Identity Services Engine, ANM, LMS, Prime NSM/DCNM, Quad, etc.) where the command-line interface does not properly validate input, allowing local users to obtain root privileges via unspecified vectors. Connected documents corroborate...
CVE-2017-12354
The CVE-2017-12354 issue affects Cisco Secure Access Control System (ACS) web-based interface, where an unauthenticated, remote attacker can view sensitive system software version information. Root cause: the software does not adequately protect version information in responses to HTTP requests. ...
CVE-2015-4219
The CVE-2015-4219 issue affects Cisco Secure Access Control System and Cisco Identity Services Engine. The root cause is improper access control for support bundles, allowing an authenticated remote attacker to brute-force credentials and download the bundle contents, potentially leading to infor...
CVE-2011-0951
CVE-2011-0951 affects Cisco Secure Access Control System (ACS) 5.1 (with patches 3/4/5) and 5.2 (no patches or patches 1–2). The web-based management interface contains an authentication/authorization flaw that lets a remote, unauthenticated attacker change arbitrary user passwords via unspecifie...
CVE-2015-0728
Cisco ACS 5.5(0.1) is affected by a cross-site scripting (XSS) vulnerability triggered by a crafted URL. The root cause is improper input validation of certain parameters passed to the device, allowing an unauthenticated remote attacker to inject and execute arbitrary script in the victim’s brows...
CVE-2017-6769
Cisco Secure Access Control System (ACS) web-based management interface contains a stored XSS vulnerability. An authenticated, remote attacker could exploit insufficient input validation and lack of encoding to inject malicious scripts affecting users of the ACS web UI. Affected releases include ...
CVE-2017-3840
CVE-2017-3840 is a open redirect vulnerability in the web interface of Cisco Secure Access Control System (ACS). An unauthenticated remote attacker could cause a user to be redirected to a malicious URL due to improper input validation of HTTP parameters. The issue affects Cisco ACS and is docume...
CVE-2013-6695
The CVE concerns Cisco Secure Accessibility Control System (ACS) where the RBAC implementation fails to verify privileges during support‑bundle downloads. This allows an authenticated remote attacker to obtain sensitive information by downloading the bundle, including read access to the user data...
CVE-2014-0648
Cisco Secure ACS is affected by CVE-2014-0648 via the RMI interface, where improper authentication/authorization could let remote attackers obtain administrative access through RMI endpoints (ports 2020/2030). The related Cisco advisory (cisco-sa-20140115-csacs) also documents additional RMI-rela...
CVE-2014-0668
Cisco Secure ACS Portal suffers a cross-site scripting (XSS) vulnerability due to insufficient input validation of a parameter in the ACS portal. This could allow a remote attacker to inject arbitrary script or HTML when a user visits a malicious link. Cisco’s advisory Cisco-SA-20140121-CVE-2014-...
CVE-2017-3841
CVE-2017-3841 affects Cisco Secure Access Control System (ACS) web interface. The issue arises from sensitive information being included in server responses, enabling an unauthenticated, remote attacker to disclose data. Affected release shown: 5.8(2.5). The primary vendor advisory (Cisco-ACS3, c...
CVE-2014-2130
CVE-2014-2130 is a Cisco ACS (Secure Access Control Server) vulnerability caused by an unintentional default Tomcat administration web interface. An authenticated, remote attacker could access the Tomcat admin interface, modify ACS application and web interface configuration files, and thereby ex...
CVE-2014-8027
CVE-2014-8027 affects Cisco Secure Access Control System (ACS) RBAC, where improper privilege validation allows an authenticated, remote attacker to perform Create/Read/Update/Delete on Network Identity Groups via crafted HTTP requests, escalating to Network Device Administrator privileges. The i...
CVE-2015-0580
Summary: CVE-2015-0580 affects Cisco Secure Access Control System (ACS) prior to 5.5 patch 7, via multiple SQL injection flaws in the ACS View reporting interface. An authenticated remote attacker can craft HTTPS requests to disclose or modify data in ACS View databases due to improper input sani...
CVE-2013-1200
Cisco Secure Access Control System (ACS) is affected by a session fixation vulnerability tied to the lack of session identifier regeneration. An unauthenticated, remote attacker could hijack another user’s web session by capturing or reusing an existing session ID. The issue is documented as CVE-...
CVE-2017-3838
Cisco Secure Access Control System (ACS) contains a DOM-based XSS vulnerability that could be exploited by an unauthenticated, remote attacker via the web interface. The issue arises from insufficient input validation of a user-supplied value and affects at least release 5.8(2.5). The CVE entry i...
CVE-2013-3422
CVE-2013-3422 describes a Cross-Site Scripting (XSS) vulnerability in the Administration pages of Cisco Secure Access Control System (ACS). The root cause is insufficient input validation of a parameter, allowing unauthenticated, remote attackers to craft links that execute arbitrary web script o...
CVE-2013-3428
CVE-2013-3428 affects Cisco Secure Access Control System (ACS). The web interface does not properly suppress error-condition details due to insufficient filtering of error output, allowing remote authenticated users to obtain sensitive information via an error-triggering request (Bug ID CSCue6595...
CVE-2014-0667
Cisco Secure Access Control System (ACS) is affected by CVE-2014-0667 due to insufficient authorization enforcement in the Remote Method Invocation (RMI) interface. A remote, authenticated attacker can read arbitrary files on the ACS server by issuing a crafted request to the RMI interface. The i...
CVE-2014-0649
The CVE-2014-0649 issue affects Cisco Secure Access Control System (ACS) 5.x before 5.5, where the RMI interface does not properly enforce authorization, enabling a remote authenticated user to gain superadmin access via the RMI interface (Bug ID CSCud75180). Connected Cisco advisories confirm an...
CVE-2014-0650
CVE-2014-0650 affects Cisco Secure Access Control System (ACS) 5.x up to, but not including, 5.4 Patch 3. The issue is in the web interface input validation that could allow a remote attacker to inject operating-system commands via a request to the web interface. The vulnerability is part of a se...
CVE-2017-3839
CVE-2017-3839 is an XML External Entity (XXE) vulnerability in Cisco Secure Access Control System (ACS) web UI. An unauthenticated, remote attacker could read part of the information stored on the affected device. Root cause: improper handling of XML entities in the web framework. Affected releas...
CVE-2013-5470
Cisco Secure ACS is affected by CVE-2013-5470 due to a flaw in the TACACS+ socket read function that allows an unauthenticated, remote attacker to crash the runtime process and cause a denial of service. The issue stems from improper processing of read requests on the TACACS+ socket, and can be t...
CVE-2013-3423
CVE-2013-3423 describes a cross-site scripting (XSS) vulnerability in the web interface of Cisco Secure Access Control System (ACS). The issue allows remote attackers to inject arbitrary web script or HTML via an unspecified field due to insufficient input validation. Documentation confirms the a...
CVE-2013-6974
CVE-2013-6974 affects Cisco Secure Access Control System (ACS) web interface. The vulnerability is a Cross-Site Scripting (XSS) flaw caused by insufficient input validation of a parameter, enabling an unauthenticated, remote attacker to inject arbitrary web script or HTML via a crafted link. Cisc...
CVE-2014-8028
Cisco Secure ACS (Access Control Server) is affected by multiple cross-site scripting (XSS) vulnerabilities in its web framework. The issue stems from insufficient input validation of several parameters passed to the web server, allowing remote attackers to craft links that persuade users to exec...
CVE-2013-3424
Cisco ACS is affected by CVE-2013-3424: a CSRF vulnerability in the Administration and View pages could allow an unauthenticated/remote attacker to hijack the authentication of a user (Bug CSCud75177). Impact per sources includes potential actions taken in the context of an authenticated session ...
CVE-2013-5536
Cisco Secure Access Control System (ACS) is affected by a DoS vulnerability in its firewall modules due to improper implementation of the incoming-packet filter. An unauthenticated, remote attacker could crash internal processes by flooding the service with crafted packets (Bug ID CSCui51521). Mu...
CVE-2014-8029
CVE-2014-8029 affects Cisco Secure Access Control Server (ACS) web interface. It is a open redirect vulnerability due to insufficient input validation of a specific parameter, enabling an unauthenticated, remote attacker to lure users to arbitrary sites and conduct phishing via a crafted link. Ci...
CVE-2013-3421
CVE-2013-3421 (Cisco ACS) describes a Cross-Site Scripting (XSS) vulnerability on the Help index page of Cisco Secure Access Control System (ACS). The issue arises from insufficient input validation of a parameter, enabling an unauthenticated, remote attacker to inject arbitrary script or HTML wh...
CVE-2014-0663
Cisco Secure Access Control System (ACS) web framework contains a Cross‑Site Scripting (XSS) flaw due to insufficient input validation of an unspecified parameter. An unauthenticated, remote attacker can lure a user to a malicious link to execute arbitrary web script or HTML in the web interface....
CVE-2014-0678
CVE-2014-0678 affects Cisco Secure Access Control System (ACS) Portal Interface. The vulnerability stems from insufficient session management in the portal, allowing an authenticated remote attacker to hijack a user’s session and perform actions with the other user’s privileges. Cisco acknowledge...