9 results (0.003 seconds)

CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0

A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level. The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device. • http://www.securityfocus.com/bid/104075 http://www.securitytracker.com/id/1040808 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1 • CWE-20: Improper Input Validation •

CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988. • http://www.securityfocus.com/bid/103328 http://www.securitytracker.com/id/1040463 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •

CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0

Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331. Cisco Secure Access Control System anterior a 5.4(0.46.2) y 5.5 anterior a 5.5(0.46) y Cisco Identity Services Engine 1.0(4.573) no implementan correctamente el control de acceso para paquetes de soporte, lo que permite a usuarios remotos autenticados obtener información sensible a través de intentos de fuerza bruta de enviar credenciales válidas, también conocido como Bug IDs CSCue00833 y CSCub40331. • http://tools.cisco.com/security/center/viewAlert.x?alertId=39501 http://www.securityfocus.com/bid/75379 http://www.securitytracker.com/id/1032713 http://www.securitytracker.com/id/1032714 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in Cisco Access Control Server (ACS) 5.5(0.1) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuu11002. Vulnerabilidad de XSS en Cisco Access Control Server (ACS) 5.5(0.1) permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de una URL manipulada, también conocido como Bug ID CSCuu11002. • http://tools.cisco.com/security/center/viewAlert.x?alertId=38808 http://www.securitytracker.com/id/1032328 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System (ACS) before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027. Múltiples vulnerabilidades de inyección SQL en las páginas de la interfaz de los informes de ACS View en Cisco Secure Access Control System (ACS) anterior a 5.5 parche 7 permiten a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través de solicitudes HTTPS manipuladas, también conocido como Bug ID CSCuq79027. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs http://www.securityfocus.com/bid/72576 http://www.securitytracker.com/id/1031740 https://exchange.xforce.ibmcloud.com/vulnerabilities/100812 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •