Cisco Elastic Services Controller Service Portal Unauthorized Access Vulnerability

A vulnerability in the use of JSON web tokens by the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to gain administrative access to an affected system.

The vulnerability is due to the presence of static default credentials for the web-based service portal of the affected software. An attacker could exploit this vulnerability by extracting the credentials from an image of the affected software and using those credentials to generate a valid administrative session token for the web-based service portal of any other installation of the affected software. A successful exploit could allow the attacker to gain administrative access to the web-based service portal of an affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc1

Security Impact Rating: High

CVE: CVE-2018-0130

Related:

  • No Related Posts

Cisco Aironet Active Sensor Static Credentials Vulnerability

A vulnerability in the default configuration of the Cisco Aironet Active Sensor could allow an unauthenticated, remote attacker to restart the sensor.

The vulnerability is due to a default local account with a static password. The account has privileges only to reboot the device. An attacker could exploit this vulnerability by guessing the account name and password to access the CLI. A successful exploit could allow the attacker to reboot the device repeatedly, creating a denial of service (DoS) condition. It is not possible to change the configuration or view sensitive data with this account.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-aas-creds

Security Impact Rating: Medium

CVE: CVE-2019-1675

Related:

  • No Related Posts

Cisco TelePresence Management Suite Simple Object Access Protocol Vulnerability

A vulnerability in the Simple Object Access Protocol (SOAP) of Cisco TelePresence Management Suite (TMS) software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device.

The vulnerability is due to a lack of proper access and authentication controls on the affected TMS software. An attacker could exploit this vulnerability by gaining access to internal, trusted networks to send crafted SOAP calls to the affected device. If successful, an exploit could allow the attacker to access system management tools. Under normal circumstances, this access should be prohibited.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-tms-soap

Security Impact Rating: Medium

CVE: CVE-2019-1660

Related:

  • No Related Posts

Multiple Cisco Unified Communications Products Reflected Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Emergency Responder and Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a link that submits malicious input to the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-ucm

Security Impact Rating: Medium

CVE: CVE-2018-0206

Related:

  • No Related Posts

Cisco SocialMiner Chat Feed Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the chat feed feature of Cisco SocialMiner could allow an unauthenticated, remote attacker to perform cross-site scripting (XSS) attacks against a user of the web-based user interface of an affected system.

These vulnerabilities are due to insufficient sanitization of user-supplied input delivered to the chat feed as part of an HTTP request. An attacker could exploit these vulnerabilities by persuading a user to follow a link to attacker-controlled content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-miner-chat-xss

Security Impact Rating: Medium

CVE: CVE-2019-1668

Related:

  • No Related Posts

Cisco Webex Meetings Server Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface of the affected software.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-meetings-xss

Security Impact Rating: Medium

CVE: CVE-2019-1655

Related:

  • No Related Posts

Cisco Connected Mobile Experiences Information Disclosure Vulnerability

A vulnerability in the Cisco Connected Mobile Experiences (CMX) software could allow an unauthenticated, adjacent attacker to access sensitive data on an affected device.

The vulnerability is due to a lack of input and validation checking mechanisms for certain GET requests to API’s on an affected device. An attacker could exploit this vulnerability by sending HTTP GET requests to an affected device. An exploit could allow the attacker to use this information to conduct additional reconnaissance attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-cmx-info-discl

Security Impact Rating: Medium

CVE: CVE-2019-1645

Related:

  • No Related Posts

Cisco Identity Services Engine Privilege Escalation Vulnerability

A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to gain additional privileges on an affected device.

The vulnerability is due to improper controls on certain pages in the web interface. An attacker could exploit this vulnerability by authenticating to the device with an administrator account and sending a crafted HTTP request. A successful exploit could allow the attacker to create additional Admin accounts with different user roles. An attacker could then use these accounts to perform actions within their scope. The attacker would need valid Admin credentials for the device. This vulnerability cannot be exploited to add a Super Admin account.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-privilege

Security Impact Rating: High

CVE: CVE-2018-15459

Related:

  • No Related Posts

Cisco IoT Field Network Director Resource Exhaustion Denial of Service Vulnerability

A vulnerability in the UDP protocol implementation for Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to exhaust system resources, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper resource management for UDP ingress packets. An attacker could exploit this vulnerability by sending a high rate of UDP packets to an affected system within a short period of time. A successful exploit could allow the attacker to exhaust available system resources, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-iot-fnd-dos

Security Impact Rating: High

CVE: CVE-2019-1644

Related:

  • No Related Posts