Filtered by vendor Cisco
Subscribe
Search
Total
1519 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-0198 | 1 Cisco | 1 Unified Communications Manager | 2020-09-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data. The vulnerability is due to insufficient protection of database tables. An attacker could exploit this vulnerability by browsing to a specific URL. A successful exploit could allow the attacker to view data library information. Cisco Bug IDs: CSCvh66592. | |||||
| CVE-2018-0224 | 1 Cisco | 4 Asr 5000, Asr 5500, Asr 5700 and 1 more | 2020-09-04 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to execute arbitrary commands with root privileges on an affected operating system. The vulnerability is due to insufficient validation of user-supplied input by the affected operating system. An attacker could exploit this vulnerability by authenticating to an affected system and injecting malicious arguments into a vulnerable CLI command. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected system. Cisco Bug IDs: CSCvg38807. | |||||
| CVE-2018-0217 | 1 Cisco | 6 Asr 5000, Asr 5000 Firmware, Asr 5500 and 3 more | 2020-09-04 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to perform a command injection attack on an affected system. The vulnerability is due to insufficient validation of commands that are supplied to certain configurations in the CLI of the affected operating system. An attacker could exploit this vulnerability by injecting crafted arguments into a vulnerable CLI command for an affected system. A successful exploit could allow the attacker to insert and execute arbitrary commands in the CLI of the affected system. To exploit this vulnerability, the attacker would need to authenticate to an affected system by using valid administrator credentials. Cisco Bug IDs: CSCvg29441. | |||||
| CVE-2018-0214 | 1 Cisco | 1 Identity Services Engine | 2020-09-04 | 4.6 MEDIUM | 5.3 MEDIUM |
| A vulnerability in certain CLI commands of Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to execute arbitrary commands on the host operating system with the privileges of the local user, aka Command Injection. These commands should have been restricted from this user. The vulnerability is due to insufficient input validation of CLI command user input. An attacker could exploit this vulnerability by authenticating to the targeted device and issuing a CLI command with crafted user input. A successful exploit could allow the attacker to execute arbitrary commands on the affected system that should be restricted. The attacker would need to have valid user credentials for the device. Cisco Bug IDs: CSCvf49844. | |||||
| CVE-2018-0140 | 1 Cisco | 19 Content Security Management Appliance, Content Security Management Appliance Sma M190, Content Security Management Appliance Sma M390 and 16 more | 2020-09-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the spam quarantine of Cisco Email Security Appliance and Cisco Content Security Management Appliance could allow an authenticated, remote attacker to download any message from the spam quarantine by modifying browser string information. The vulnerability is due to a lack of verification of authenticated user accounts. An attacker could exploit this vulnerability by modifying browser strings to see messages submitted by other users to the spam quarantine within their company. Cisco Bug IDs: CSCvg39759, CSCvg42295. | |||||
| CVE-2020-3490 | 1 Cisco | 1 Vision Dynamic Signage Director | 2020-09-04 | 6.8 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker with administrative privileges to conduct directory traversal attacks and obtain read access to sensitive files on an affected system. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to read files on the underlying operating system with root privileges. To exploit this vulnerability, the attacker would need to have administrative privileges on the affected system. | |||||
| CVE-2018-0134 | 1 Cisco | 1 Mobility Services Engine | 2020-09-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid. The vulnerability occurs because the Cisco Policy Suite RADIUS server component returns different authentication failure messages based on the validity of usernames. An attacker could use these messages to determine whether a valid subscriber username has been identified. The attacker could use this information in subsequent attacks against the system. Cisco Bug IDs: CSCvg47830. | |||||
| CVE-2018-0122 | 1 Cisco | 4 Asr 5000, Asr 5500, Asr 5700 and 1 more | 2020-09-04 | 6.6 MEDIUM | 4.4 MEDIUM |
| A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to overwrite system files that are stored in the flash memory of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the affected operating system. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command for the affected operating system. A successful exploit could allow the attacker to overwrite or modify arbitrary files that are stored in the flash memory of an affected system. To exploit this vulnerability, the attacker would need to authenticate to an affected system by using valid administrator credentials. Cisco Bug IDs: CSCvf93335. | |||||
| CVE-2018-0105 | 1 Cisco | 1 Unified Communications Manager | 2020-09-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data. The vulnerability is due to insufficient protection of database tables. An attacker could exploit this vulnerability by browsing to a specific URL. An exploit could allow the attacker to view data library information. Cisco Bug IDs: CSCvf20269. | |||||
| CVE-2017-12308 | 1 Cisco | 170 Esw2-350g-52, Esw2-350g-52 Firmware, Esw2-350g-52dc and 167 more | 2020-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. This vulnerability affects the following Cisco Small Business 300 and 500 Series Managed Switches: Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, Cisco 550X Series Stackable Managed Switches, Cisco ESW2 Series Advanced Switches, Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches. Cisco Bug IDs: CSCvg29980. | |||||
| CVE-2017-12307 | 1 Cisco | 170 Esw2-350g-52, Esw2-350g-52 Firmware, Esw2-350g-52dc and 167 more | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting and injecting code into a user request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. This vulnerability affects the following Cisco Small Business 300 and 500 Series Managed Switches: Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches, Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, Cisco 550X Series Stackable Managed Switches, Cisco ESW2 Series Advanced Switches. Cisco Bug IDs: CSCvg24637. | |||||
| CVE-2017-6720 | 1 Cisco | 170 Esw2-350g-52, Esw2-350g-52 Firmware, Esw2-350g-52dc and 167 more | 2020-09-04 | 6.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the Secure Shell (SSH) subsystem of Cisco Small Business Managed Switches software could allow an authenticated, remote attacker to cause a reload of the affected switch, resulting in a denial of service (DoS) condition. The vulnerability is due to improper processing of SSH connections. An attacker could exploit this vulnerability by logging in to an affected switch via SSH and sending a malicious SSH message. This vulnerability affects the following Cisco products when SSH is enabled: Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches, ESW2 Series Advanced Switches. Cisco Bug IDs: CSCvb48377. | |||||
| CVE-2018-0355 | 1 Cisco | 1 Unified Communications Manager | 2020-09-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761. | |||||
| CVE-2018-0329 | 1 Cisco | 1 Wide Area Application Services | 2020-09-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to a hard-coded, read-only community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 2c queries to an affected device. A successful exploit could allow the attacker to read any data that is accessible via SNMP on the affected device. Note: The static credentials are defined in an internal configuration file and are not visible in the current operation configuration ('running-config') or the startup configuration ('startup-config'). Cisco Bug IDs: CSCvi40137. | |||||
| CVE-2020-3484 | 1 Cisco | 1 Vision Dynamic Signage Director | 2020-09-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to view potentially sensitive information on an affected device. The vulnerability is due to incorrect permissions within Apache configuration. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to view potentially sensitive information on the affected device. | |||||
| CVE-2020-3466 | 1 Cisco | 1 Dna Center | 2020-09-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco DNA Center software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerabilities exist because the web-based management interface on an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2020-3440 | 1 Cisco | 1 Webex Meetings | 2020-09-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an unauthenticated, remote attacker to overwrite arbitrary files on an end-user system. The vulnerability is due to improper validation of URL parameters that are sent from a website to the affected application. An attacker could exploit this vulnerability by persuading a user to follow a URL to a website that is designed to submit crafted input to the affected application. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system, possibly corrupting or deleting critical system files. | |||||
| CVE-2020-3491 | 1 Cisco | 1 Vision Dynamic Signage Director | 2020-09-02 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker with administrative privileges to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need to have administrative privileges on the affected device. | |||||
| CVE-2020-3389 | 1 Cisco | 1 Hyperflex Hx-series Software | 2020-09-01 | 2.1 LOW | 4.4 MEDIUM |
| A vulnerability in the installation component of Cisco Hyperflex HX-Series Software could allow an authenticated, local attacker to retrieve the password that was configured at installation on an affected device. The vulnerability exists because sensitive information is stored as clear text. An attacker could exploit this vulnerability by authenticating to an affected device and navigating to the directory that contains sensitive information. A successful exploit could allow the attacker to obtain sensitive information in clear text from the affected device. | |||||
| CVE-2020-3152 | 1 Cisco | 1 Connected Mobile Experiences | 2020-09-01 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to execute arbitrary commands with root privileges. The vulnerability is due to improper user permissions that are configured by default on an affected system. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, an attacker would need to have valid administrative credentials. | |||||
| CVE-2020-3151 | 1 Cisco | 1 Connected Mobile Experiences | 2020-09-01 | 3.6 LOW | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to bypass restrictions on the CLI. The vulnerability is due to insufficient security mechanisms in the restricted shell implementation. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to escape the restricted shell and execute a set of normally unauthorized commands with the privileges of a non-root user. To exploit this vulnerability, an attacker would need to have valid administrative credentials. | |||||
| CVE-2019-12718 | 1 Cisco | 216 Sf200-24, Sf200-24 Firmware, Sf200-24fp and 213 more | 2020-09-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link and subsequently access a specific web interface page. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2018-15407 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2020-08-31 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability in the installation process of Cisco HyperFlex Software could allow an authenticated, local attacker to read sensitive information. The vulnerability is due to insufficient cleanup of installation files. An attacker could exploit this vulnerability by accessing the residual installation files on an affected system. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system. | |||||
| CVE-2018-15405 | 1 Cisco | 1 Ucs Director | 2020-08-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web interface for specific feature sets of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to an authorization check that does not properly include the access level of the web interface user. An attacker who has valid application credentials could exploit this vulnerability by sending a crafted HTTP request to the web interface. A successful exploit could allow the attacker to view sensitive information that belongs to other users. The attacker could then use this information to conduct additional reconnaissance attacks. | |||||
| CVE-2018-15390 | 1 Cisco | 1 Firepower Threat Defense | 2020-08-31 | 7.1 HIGH | 6.8 MEDIUM |
| A vulnerability in the FTP inspection engine of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software fails to release spinlocks when a device is running low on system memory, if the software is configured to apply FTP inspection and an access control rule to transit traffic, and the access control rule is associated with an FTP file policy. An attacker could exploit this vulnerability by sending a high rate of transit traffic through an affected device to cause a low-memory condition on the device. A successful exploit could allow the attacker to cause a software panic on the affected device, which could cause the device to reload and result in a temporary DoS condition. | |||||
| CVE-2020-3522 | 1 Cisco | 1 Data Center Network Manager | 2020-08-31 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to bypass authorization on an affected device and access sensitive information that is related to the device. The vulnerability exists because the affected software allows users to access resources that are intended for administrators only. An attacker could exploit this vulnerability by submitting a crafted URL to an affected device. A successful exploit could allow the attacker to add, delete, and edit certain network configurations in the same manner as a user with administrative privileges. | |||||
| CVE-2020-3523 | 1 Cisco | 1 Data Center Network Manager | 2020-08-31 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2018-0331 | 1 Cisco | 77 Firepower 4110, Firepower 4120, Firepower 4140 and 74 more | 2020-08-31 | 6.1 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the Cisco Discovery Protocol (formerly known as CDP) subsystem of devices running, or based on, Cisco NX-OS Software contain a vulnerability that could allow an unauthenticated, adjacent attacker to create a denial of service (DoS) condition. The vulnerability is due to a failure to properly validate certain fields within a Cisco Discovery Protocol message prior to processing it. An attacker with the ability to submit a Cisco Discovery Protocol message designed to trigger the issue could cause a DoS condition on an affected device while the device restarts. This vulnerability affects Firepower 4100 Series Next-Generation Firewall, Firepower 9300 Security Appliance, MDS 9000 Series Multilayer Director Switches, Nexus 1000V Series Switches, Nexus 1100 Series Cloud Services Platforms, Nexus 2000 Series Switches, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 3600 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 Series Fabric Interconnects, UCS 6200 Series Fabric Interconnects, UCS 6300 Series Fabric Interconnects. Cisco Bug IDs: CSCvc89242, CSCve40943, CSCve40953, CSCve40965, CSCve40970, CSCve40978, CSCve40992, CSCve41000, CSCve41007. | |||||
| CVE-2018-15368 | 1 Cisco | 1 Ios Xe | 2020-08-28 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to gain access to the underlying Linux shell of an affected device and execute arbitrary commands with root privileges on the device. The vulnerability is due to the affected software improperly sanitizing command arguments to prevent modifications to the underlying Linux filesystem on a device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit this vulnerability on the device by executing CLI commands that contain crafted arguments. A successful exploit could allow the attacker to gain access to the underlying Linux shell of the affected device and execute arbitrary commands with root privileges on the device. | |||||
| CVE-2018-0481 | 1 Cisco | 1 Ios Xe | 2020-08-28 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exist because the affected software improperly sanitizes command arguments, failing to prevent access to certain internal data structures on an affected device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit these vulnerabilities on the device by executing CLI commands that contain custom arguments. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected device. | |||||
| CVE-2018-0477 | 1 Cisco | 1 Ios Xe | 2020-08-28 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exist because the affected software improperly sanitizes command arguments, failing to prevent access to certain internal data structures on an affected device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit these vulnerabilities on the device by executing CLI commands that contain custom arguments. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected device. | |||||
| CVE-2018-0449 | 1 Cisco | 1 Jabber | 2020-08-28 | 3.3 LOW | 4.2 MEDIUM |
| A vulnerability in the Cisco Jabber Client Framework (JCF) software, installed as part of the Cisco Jabber for Mac client, could allow an authenticated, local attacker to corrupt arbitrary files on an affected device that has elevated privileges. The vulnerability exists due to insecure directory permissions set on a JCF created directory. An authenticated attacker with the ability to access an affected directory could create a hard link to an arbitrary location on the affected system. An attacker could convince another user that has administrative privileges to perform an install or update the Cisco Jabber for Mac client to perform such actions, allowing files to be created in an arbitrary location on the disk or an arbitrary file to be corrupted when it is appended to or overwritten. | |||||
| CVE-2018-0282 | 1 Cisco | 149 Catalyst 2960-plus 24lc-l, Catalyst 2960-plus 24lc-s, Catalyst 2960-plus 24pc-l and 146 more | 2020-08-28 | 7.1 HIGH | 6.8 MEDIUM |
| A vulnerability in the TCP socket code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a state condition between the socket state and the transmission control block (TCB) state. While this vulnerability potentially affects all TCP applications, the only affected application observed so far is the HTTP server. An attacker could exploit this vulnerability by sending specific HTTP requests at a sustained rate to a reachable IP address of the affected software. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition on an affected device. | |||||
| CVE-2020-3439 | 1 Cisco | 1 Data Center Network Manager | 2020-08-28 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2020-3518 | 1 Cisco | 1 Data Center Network Manager | 2020-08-28 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of the affected software. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2020-3520 | 1 Cisco | 1 Data Center Network Manager | 2020-08-28 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability in Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, local attacker to obtain confidential information from an affected device. The vulnerability is due to insufficient protection of confidential information on an affected device. An attacker at any privilege level could exploit this vulnerability by accessing local filesystems and extracting sensitive information from them. A successful exploit could allow the attacker to view sensitive data, which they could use to elevate their privilege. | |||||
| CVE-2016-1444 | 1 Cisco | 2 Telepresence Video Communication Server, Telepresence Video Communication Server Software | 2020-08-27 | 5.8 MEDIUM | 6.5 MEDIUM |
| The Mobile and Remote Access (MRA) component in Cisco TelePresence Video Communication Server (VCS) X8.1 through X8.7 and Expressway X8.1 through X8.6 mishandles certificates, which allows remote attackers to bypass authentication via an arbitrary trusted certificate, aka Bug ID CSCuz64601. | |||||
| CVE-2016-1454 | 1 Cisco | 54 5548p, 5548up, 5596t and 51 more | 2020-08-25 | 7.1 HIGH | 6.5 MEDIUM |
| Cisco NX-OS 4.0 through 7.3 and 11.0 through 11.2 on 1000v, 2000, 3000, 3500, 5000, 5500, 5600, 6000, 7000, 7700, and 9000 devices allows remote attackers to cause a denial of service (device reload) by leveraging a peer relationship to send a crafted BGP UPDATE message, aka Bug IDs CSCuq77105 and CSCux11417. | |||||
| CVE-2020-3346 | 1 Cisco | 1 Unified Communications Manager | 2020-08-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||
| CVE-2020-3447 | 1 Cisco | 2 Content Security Management Appliance, Email Security Appliance | 2020-08-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the CLI of Cisco AsyncOS for Cisco Email Security Appliance (ESA) and Cisco AsyncOS for Cisco Content Security Management Appliance (SMA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to excessive verbosity in certain log subscriptions. An attacker could exploit this vulnerability by accessing specific log files on an affected device. A successful exploit could allow the attacker to obtain sensitive log data, which may include user credentials. To exploit this vulnerability, the attacker would need to have valid credentials at the operator level or higher on the affected device. | |||||
| CVE-2020-3449 | 1 Cisco | 1 Ios Xr | 2020-08-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the Border Gateway Protocol (BGP) additional paths feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to prevent authorized users from monitoring the BGP status and cause the BGP process to stop processing new updates, resulting in a denial of service (DOS) condition. The vulnerability is due to an incorrect calculation of lexicographical order when displaying additional path information within Cisco IOS XR Software, which causes an infinite loop. An attacker could exploit this vulnerability by sending a specific BGP update from a BGP neighbor peer session of an affected device; an authorized user must then issue a show bgp command for the vulnerability to be exploited. A successful exploit could allow the attacker to prevent authorized users from properly monitoring the BGP status and prevent BGP from processing new updates, resulting in outdated information in the routing and forwarding tables. | |||||
| CVE-2020-3448 | 1 Cisco | 1 Cyber Vision Center | 2020-08-20 | 5.0 MEDIUM | 5.8 MEDIUM |
| A vulnerability in an access control mechanism of Cisco Cyber Vision Center Software could allow an unauthenticated, remote attacker to bypass authentication and access internal services that are running on an affected device. The vulnerability is due to insufficient enforcement of access control in the software. An attacker could exploit this vulnerability by directly accessing the internal services of an affected device. A successful exploit could allow an attacker to impact monitoring of sensors that are managed by the software. | |||||
| CVE-2020-3464 | 1 Cisco | 1 Ucs Director | 2020-08-20 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco UCS Director could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need administrative credentials on the affected device. | |||||
| CVE-2020-3463 | 1 Cisco | 1 Webex Meetings Online | 2020-08-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2020-3413 | 1 Cisco | 1 Webex Meetings Online | 2020-08-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to delete a scheduled meeting template that belongs to another user in their organization. The vulnerability is due to insufficient authorization enforcement for requests to delete scheduled meeting templates. An attacker could exploit this vulnerability by sending a crafted request to the Webex Meetings interface to delete a scheduled meeting template. A successful exploit could allow the attacker to delete a scheduled meeting template that belongs to a user other than themselves. | |||||
| CVE-2020-3412 | 1 Cisco | 1 Webex Meetings Online | 2020-08-19 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the scheduled meeting template feature of Cisco Webex Meetings could allow an authenticated, remote attacker to create a scheduled meeting template that would belong to another user in their organization. The vulnerability is due to insufficient authorization enforcement for the creation of scheduled meeting templates. An attacker could exploit this vulnerability by sending a crafted request to the Webex Meetings interface to create a scheduled meeting template. A successful exploit could allow the attacker to create a scheduled meeting template that would belong to a user other than themselves. | |||||
| CVE-2020-3501 | 1 Cisco | 2 Webex Meetings, Webex Meetings Server | 2020-08-19 | 3.5 LOW | 4.1 MEDIUM |
| Multiple vulnerabilities in the user interface of Cisco Webex Meetings Desktop App could allow an authenticated, remote attacker to obtain restricted information from other Webex users. These vulnerabilities are due to improper input validation of parameters returned to the application from a web site. An attacker with a valid Webex account could exploit these vulnerabilities by persuading a user to follow a URL that is designed to return malicious path parameters to the affected software. A successful exploit could allow the attacker to obtain restricted information from other Webex users. | |||||
| CVE-2020-3502 | 1 Cisco | 2 Webex Meetings, Webex Meetings Server | 2020-08-19 | 3.5 LOW | 4.1 MEDIUM |
| Multiple vulnerabilities in the user interface of Cisco Webex Meetings Desktop App could allow an authenticated, remote attacker to obtain restricted information from other Webex users. These vulnerabilities are due to improper input validation of parameters returned to the application from a web site. An attacker with a valid Webex account could exploit these vulnerabilities by persuading a user to follow a URL that is designed to return malicious path parameters to the affected software. A successful exploit could allow the attacker to obtain restricted information from other Webex users. | |||||
| CVE-2020-3350 | 1 Cisco | 2 Advanced Malware Protection For Endpoints, Clam Antivirus | 2020-08-06 | 3.3 LOW | 6.3 MEDIUM |
| A vulnerability in the endpoint software of Cisco AMP for Endpoints and Clam AntiVirus could allow an authenticated, local attacker to cause the running software to delete arbitrary files on the system. The vulnerability is due to a race condition that could occur when scanning malicious files. An attacker with local shell access could exploit this vulnerability by executing a script that could trigger the race condition. A successful exploit could allow the attacker to delete arbitrary files on the system that the attacker would not normally have privileges to delete, producing system instability or causing the endpoint software to stop working. | |||||
| CVE-2020-3460 | 1 Cisco | 1 Data Center Network Manager | 2020-08-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by intercepting a request from a user and injecting malicious data into an HTTP header. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. | |||||