CVE-2017-12225
https://notcve.org/view.php?id=CVE-2017-12225
A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). • http://www.securitytracker.com/id/1039285 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf58392 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-prime-lms • CWE-287: Improper Authentication CWE-384: Session Fixation •
CVE-2016-1360
https://notcve.org/view.php?id=CVE-2016-1360
Cisco Prime LAN Management Solution (LMS) through 4.2.5 uses the same database decryption key across different customers' installations, which allows local users to obtain cleartext data by leveraging console connectivity, aka Bug ID CSCuw85390. Cisco Prime LAN Management Solution (LMS) hasta la versión 4.2.5 utiliza la misma clave de cifrado de base de datos a través de instalaciones de clientes diferentes, lo que permite a usuarios locales obtener datos en texto plano aprovechando la conectividad de la consola, también conocida como Bug ID CSCuw85390. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160310-prime-lms http://www.securitytracker.com/id/1035313 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-6392
https://notcve.org/view.php?id=CVE-2012-6392
Cisco Prime LAN Management Solution (LMS) 4.1 through 4.2.2 on Linux does not properly validate authentication and authorization requests in TCP sessions, which allows remote attackers to execute arbitrary commands via a crafted session, aka Bug ID CSCuc79779. Cisco Prime LAN Management Solution (LMS) v4.1 a v4.2.2 en Linux no valida correctamente las solicitudes de autenticación y autorización en sesiones TCP, lo que permite a atacantes remotos ejecutar código de su elección a través de una sesión hecha a mano. Se trata de un problema también conocido como Bug ID CSCuc79779. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms • CWE-20: Improper Input Validation •
CVE-2011-4237
https://notcve.org/view.php?id=CVE-2011-4237
CRLF injection vulnerability in autologin.jsp in Cisco CiscoWorks Common Services 4.0, as used in Cisco Prime LAN Management Solution and other products, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter, aka Bug ID CSCtu18693. Vulnerabilidad de inyección CRLF en autologin.jsp en Cisco CiscoWorks Common Services v4.0, tal como se utiliza en Cisco Prime LAN Management Solution y otros productos, permite a atacantes remotos inyectar cabeceras HTTP de su elección y llevar a cabo ataques de división de respuesta HTTP a través del parámetro URL, ID de error conocido CSCtu18693. • http://secunia.com/advisories/49094 http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/release/notes/lms42rel.html http://www.nessus.org/plugins/index.php?view=single&id=58950 • CWE-94: Improper Control of Generation of Code ('Code Injection') •