3 results (0.023 seconds)

CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0

A vulnerability in Internet Key Exchange version 2 (IKEv2) processing of Cisco Secure Client Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of Cisco Secure Client. This vulnerability is due to an integer underflow condition. An attacker could exploit this vulnerability by sending a crafted IKEv2 packet to an affected system. A successful exploit could allow the attacker to cause Cisco Secure Client Software to crash, resulting in a DoS condition on the client software. Note: Cisco Secure Client Software releases 4.10 and earlier were known as Cisco AnyConnect Secure Mobility Client. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csc-dos-XvPhM3bj • CWE-191: Integer Underflow (Wrap or Wraparound) •

CVSS: 6.8EPSS: 0%CPEs: 37EXPL: 0

A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an affected device to elevate privileges to SYSTEM. This vulnerability is due to a lack of authentication on a specific function. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges on an affected device. Una vulnerabilidad en el módulo Network Access Manager (NAM) de Cisco Secure Client podría permitir que un atacante no autenticado con acceso físico a un dispositivo afectado eleve privilegios al SYSTEM. Esta vulnerabilidad se debe a la falta de autenticación en una función específica. Un exploit exitoso podría permitir al atacante ejecutar código arbitrario con privilegios de SYSTEM en un dispositivo afectado. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-nam-priv-esc-szu2vYpZ • CWE-306: Missing Authentication for Critical Function •

CVSS: 8.2EPSS: 0%CPEs: 34EXPL: 0

A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •