Filtered by vendor Cisco
Subscribe
Total
6228 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1682 | 1 Cisco | 1 Application Policy Infrastructure Controller | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the FUSE filesystem functionality for Cisco Application Policy Infrastructure Controller (APIC) software could allow an authenticated, local attacker to escalate privileges to root on an affected device. The vulnerability is due to insufficient input validation for certain command strings issued on the CLI of the affected device. An attacker with write permissions for files within a readable folder on the device could alter certain definitions in the affected file. A successful exploit could allow an attacker to cause the underlying FUSE driver to execute said crafted commands, elevating the attacker's privileges to root on an affected device. | |||||
| CVE-2019-1681 | 1 Cisco | 1 Ios Xr | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of user-supplied input within TFTP requests processed by the affected software. An attacker could exploit this vulnerability by using directory traversal techniques in malicious requests sent to the TFTP service on a targeted device. An exploit could allow the attacker to retrieve arbitrary files from the targeted device, resulting in the disclosure of sensitive information. This vulnerability affects Cisco IOS XR Software releases prior to Release 6.5.2 for Cisco Network Convergence System 1000 Series devices when the TFTP service is enabled. | |||||
| CVE-2019-1680 | 1 Cisco | 2 Webex Business Suite, Webex Meetings Online | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability in Cisco Webex Business Suite could allow an unauthenticated, remote attacker to inject arbitrary text into a user's browser. The vulnerability is due to improper validation of input. An attacker could exploit this vulnerability by convincing a targeted user to view a malicious URL. A successful exploit could allow the attacker to inject arbitrary text into the user's browser. The attacker could use the content injection to conduct spoofing attacks. Versions prior than 3.0.9 are affected. | |||||
| CVE-2019-1679 | 1 Cisco | 2 Telepresence Conductor, Telepresence Video Communication Server | 2024-11-21 | 4.0 MEDIUM | 5.0 MEDIUM |
| A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the affected server. Versions prior to XC4.3.4 are affected. | |||||
| CVE-2019-1678 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in Cisco Meeting Server could allow an authenticated, remote attacker to cause a partial denial of service (DoS) to Cisco Meetings application users who are paired with a Session Initiation Protocol (SIP) endpoint. The vulnerability is due to improper validation of coSpaces configuration parameters. An attacker could exploit this vulnerability by inserting crafted strings in specific coSpace parameters. An exploit could allow the attacker to prevent clients from joining a conference call in the affected coSpace. Versions prior to 2.4.3 are affected. | |||||
| CVE-2019-1677 | 1 Cisco | 1 Webex Meetings | 2024-11-21 | 1.9 LOW | 4.6 MEDIUM |
| A vulnerability in Cisco Webex Meetings for Android could allow an unauthenticated, local attacker to perform a cross-site scripting attack against the application. The vulnerability is due to insufficient validation of the application input parameters. An attacker could exploit this vulnerability by sending a malicious request to the Webex Meetings application through an intent. A successful exploit could allow the attacker to execute script code in the context of the Webex Meetings application. Versions prior to 11.7.0.236 are affected. | |||||
| CVE-2019-1676 | 1 Cisco | 1 Meeting Server | 2024-11-21 | 5.0 MEDIUM | 6.8 MEDIUM |
| A vulnerability in the Session Initiation Protocol (SIP) call processing of Cisco Meeting Server (CMS) software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Cisco Meeting Server. The vulnerability is due to insufficient validation of Session Description Protocol (SDP) messages. An attacker could exploit this vulnerability by sending a crafted SDP message to the CMS call bridge. An exploit could allow the attacker to cause the CMS to reload, causing a DoS condition for all connected clients. Versions prior to 2.3.9 are affected. | |||||
| CVE-2019-1675 | 1 Cisco | 2 Aironet Active Sensor, Digital Network Architecture Center | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| A vulnerability in the default configuration of the Cisco Aironet Active Sensor could allow an unauthenticated, remote attacker to restart the sensor. The vulnerability is due to a default local account with a static password. The account has privileges only to reboot the device. An attacker could exploit this vulnerability by guessing the account name and password to access the CLI. A successful exploit could allow the attacker to reboot the device repeatedly, creating a denial of service (DoS) condition. It is not possible to change the configuration or view sensitive data with this account. Versions prior to DNAC1.2.8 are affected. | |||||
| CVE-2019-1674 | 2 Cisco, Microsoft | 4 Webex Meetings, Webex Meetings Online, Webex Productivity Tools and 1 more | 2024-11-21 | 9.0 HIGH | 7.8 HIGH |
| A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. This vulnerability is fixed in Cisco Webex Meetings Desktop App Release 33.6.6 and 33.9.1 releases. This vulnerability is fixed in Cisco Webex Productivity Tools Release 33.0.7. | |||||
| CVE-2019-1673 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. For information about fixed software releases, consult the Cisco bug ID at https://quickview.cloudapps.cisco.com/quickview/bug/CSCvn64652. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. | |||||
| CVE-2019-1672 | 1 Cisco | 1 Web Security Appliance | 2024-11-21 | 5.0 MEDIUM | 5.8 MEDIUM |
| A vulnerability in the Decryption Policy Default Action functionality of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass a configured drop policy and allow traffic onto the network that should have been denied. The vulnerability is due to the incorrect handling of SSL-encrypted traffic when Decrypt for End-User Notification is disabled in the configuration. An attacker could exploit this vulnerability by sending a SSL connection through the affected device. A successful exploit could allow the attacker to bypass a configured drop policy to block specific SSL connections. Releases 10.1.x and 10.5.x are affected. | |||||
| CVE-2019-1670 | 1 Cisco | 1 Unified Intelligence Center | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Unified Intelligence Center Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click a specific link. A successful exploit could allow the attacker to submit arbitrary requests to the affected system via a web browser with the privileges of the user. | |||||
| CVE-2019-1669 | 1 Cisco | 1 Firepower Threat Defense | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| A vulnerability in the data acquisition (DAQ) component of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured access control policies or cause a denial of service (DoS) condition. The vulnerability exists because the affected software improperly manages system memory resources when inspecting traffic. An attacker could exploit this vulnerability by generating specific traffic patterns for the software to inspect. A successful exploit could allow the attacker to exhaust system memory resources used for traffic inspection. Depending on the configuration, the FTD Software could fail open and cease to inspect traffic or fail closed and result in a DoS condition. This vulnerability may require manual intervention to restore the software. | |||||
| CVE-2019-1668 | 1 Cisco | 1 Socialminer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the chat feed feature of Cisco SocialMiner could allow an unauthenticated, remote attacker to perform cross-site scripting (XSS) attacks against a user of the web-based user interface of an affected system. This vulnerability is due to insufficient sanitization of user-supplied input delivered to the chat feed as part of an HTTP request. An attacker could exploit this vulnerability by persuading a user to follow a link to attacker-controlled content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2019-1667 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected. | |||||
| CVE-2019-1666 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the Graphite service of Cisco HyperFlex software could allow an unauthenticated, remote attacker to retrieve data from the Graphite service. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by sending crafted requests to the Graphite service. A successful exploit could allow the attacker to retrieve any statistics from the Graphite service. Versions prior to 3.5(2a) are affected. | |||||
| CVE-2019-1665 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco HyperFlex software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Versions prior to 3.5(1a) are affected. | |||||
| CVE-2019-1664 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster. This vulnerability affects Cisco HyperFlex Software Releases prior to 3.5(2a). | |||||
| CVE-2019-1663 | 1 Cisco | 6 Rv110w, Rv110w Firmware, Rv130w and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected. | |||||
| CVE-2019-1662 | 1 Cisco | 1 Prime Collaboration Assurance | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| A vulnerability in the Quality of Voice Reporting (QOVR) service of Cisco Prime Collaboration Assurance (PCA) Software could allow an unauthenticated, remote attacker to access the system as a valid user. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the QOVR service with a valid username. A successful exploit could allow the attacker to perform actions with the privileges of the user that is used for access. This vulnerability affects Cisco PCA Software Releases prior to 12.1 SP2. | |||||