CVE-2024-20536

A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a specific REST API endpoint or web-based management interface. A successful exploit could allow the attacker to read, modify, or delete arbitrary data on an internal database, which could affect the availability of the device. 

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-sqli-CyPPAxrL	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:nexus_dashboard_fabric_controller:12.1.2:::::::*
	cpe:2.3:a:cisco:nexus_dashboard_fabric_controller:12.1.3:::::::*

History

07 Aug 2025, 00:23

Type	Values Removed	Values Added
First Time		Cisco Cisco nexus Dashboard Fabric Controller
CPE		cpe:2.3:a:cisco:nexus_dashboard_fabric_controller:12.1.3:::::::* cpe:2.3:a:cisco:nexus_dashboard_fabric_controller:12.1.2:::::::*
References	~~() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-sqli-CyPPAxrL -~~	() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-sqli-CyPPAxrL - Vendor Advisory
Summary		(es) Una vulnerabilidad en un endpoint de API REST y una interfaz de administración basada en web de Cisco Nexus Dashboard Fabric Controller (NDFC) podría permitir que un atacante remoto autenticado con privilegios de solo lectura ejecute comandos SQL arbitrarios en un dispositivo afectado. Esta vulnerabilidad se debe a una validación insuficiente de la entrada proporcionada por el usuario. Un atacante podría aprovechar esta vulnerabilidad enviando una solicitud manipulado a un endpoint de API REST o una interfaz de administración basada en web específicos. Una explotación exitosa podría permitir que el atacante lea, modifique o elimine datos arbitrarios en una base de datos interna, lo que podría afectar la disponibilidad del dispositivo.

06 Nov 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-06 17:15

Updated : 2025-08-07 00:23

NVD link : CVE-2024-20536

Mitre link : CVE-2024-20536

CVE.ORG link : CVE-2024-20536

JSON object : View

Products Affected

cisco

nexus_dashboard_fabric_controller

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.8 /10