CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-20929
https://notcve.org/view.php?id=CVE-2022-20929
08 Mar 2023 — A vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, local attacker to provide an unauthentic upgrade file for upload. This vulnerability is due to insufficient cryptographic signature verification of upgrade files. An attacker could exploit this vulnerability by providing an administrator with an unauthentic upgrade file. A successful exploit could allow the attacker to fully compromise the Cisco NFVIS system. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-ISV-BQrvEv2h • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-20780 – Cisco Enterprise NFV Infrastructure Software Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-20780
04 May 2022 — Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en Cisco Enterprise NFV Infrastructure Software (NFVIS) podrían permitir a un atacante escapar de la máquina virtual (VM) invita... • https://github.com/orangecertcc/security-research/security/advisories/GHSA-hrpq-384f-vrpg • CWE-284: Improper Access Control CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-20779 – Cisco Enterprise NFV Infrastructure Software Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-20779
04 May 2022 — Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en Cisco Enterprise NFV Infrastructure Software (NFVIS) podrían permitir a un atacante escapar de la máquina virtual (VM) invita... • https://github.com/orangecertcc/security-research/security/advisories/GHSA-77vw-2pmg-q492 • CWE-20: Improper Input Validation CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-20777 – Cisco Enterprise NFV Infrastructure Software Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-20777
04 May 2022 — Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en Cisco Enterprise NFV Infrastructure Software (NFVIS) podrían permitir a un atacante escapar de la máquina virtual (VM) invita... • https://github.com/orangecertcc/security-research/security/advisories/GHSA-v56f-9gq3-rx3g • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34746 – Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-34746
02 Sep 2021 — A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit... • https://github.com/orangecertcc/security-research/security/advisories/GHSA-gqx8-c4xr-c664 • CWE-287: Improper Authentication CWE-289: Authentication Bypass by Alternate Name •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-1421 – Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1421
06 May 2021 — A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to perform a command injection attack on an affected device. The vulnerability is due to insufficient validation of user-supplied input to a configuration command. An attacker could exploit this vulnerability by including malicious input during the execution of this command. A successful exploit could allow a non-privileged attacker authenticated in the restricted CLI to execute arbitrary com... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-cmdinj-DkFjqg2j • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-1127 – Cisco Enterprise NFV Infrastructure Software Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2021-1127
13 Jan 2021 — A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to improper input validation of log file content stored on the affected device. An attacker could exploit this vulnerability by modifying a log file with malicious code and getting a user to view the modified log file. A successfu... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-xss-smsz5Vhb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 29EXPL: 0CVE-2020-3470 – Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities
https://notcve.org/view.php?id=CVE-2020-3470
18 Nov 2020 — Multiple vulnerabilities in the API subsystem of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges. The vulnerabilities are due to improper boundary checks for certain user-supplied input. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the API subsystem of an affected system. When this request is processed, an exploitable buffer overflow condition may occur. A successful exploit co... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1893 – Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1893
06 Jul 2019 — A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root. The vulnerability is due to insufficient input validation of a configuration file that is accessible to a local shell user. An attacker could exploit this vulnerability by including malicious input during the execution of this file. A successful exploit could allow the attacker to execute arbi... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-nfvis-commandinj • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1894 – Cisco Enterprise NFV Infrastructure Software Arbitrary File Read and Write Vulnerability
https://notcve.org/view.php?id=CVE-2019-1894
06 Jul 2019 — A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite or read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to improper input validation in NFVIS filesystem commands. An attacker could exploit this vulnerability by using crafted variables during the execution of an affected command. A successful exploit could allow the attacker to overwrite or r... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-nfvis-file-readwrite • CWE-20: Improper Input Validation •