8 results (0.003 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read sensitive data on the underlying database. • https://github.com/redfr0g/CVE-2023-20110 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-sql-X9MmjSYh • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the web UI of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges and create, read, update, or delete records and settings in multiple functions. This vulnerability is due to insufficient authorization of the System User and System Operator role capabilities. An attacker could exploit this vulnerability by directly accessing a web resource. A successful exploit could allow the attacker to create, read, update, or delete records and settings in multiple functions without the necessary permissions on the web UI. Una vulnerabilidad en la interfaz de usuario web de Cisco Smart Software Manager On-Prem (SSM On-Prem) podría permitir a un atacante remoto autenticado elevar los privilegios y crear, leer, actualizar o eliminar registros y configuraciones en múltiples funciones. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-priv-esc-5g35cdDJ • CWE-269: Improper Privilege Management •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the web management interface of Cisco Smart Software Manager satellite could allow an authenticated, remote attacker to redirect a user to an undesired web page. The vulnerability is due to improper input validation of the URL parameters in an HTTP request that is sent to an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request that could cause the web application to redirect the request to a specified malicious URL. A successful exploit could allow the attacker to redirect a user to a malicious website. Una vulnerabilidad en la interfaz de administración web de Cisco Smart Software Manager Satellite, podría permitir a un atacante remoto autenticado redireccionar a un usuario hacia a una página web no deseada. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssmor-MDCWkT2x • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in Cisco Smart Software Manager Satellite could allow an authenticated, local attacker to access sensitive information on an affected system. The vulnerability is due to insufficient protection of static credentials in the affected software. An attacker could exploit this vulnerability by gaining access to the static credential that is stored on the local device. A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks. Una vulnerabilidad en Cisco Smart Software Manager Satellite, podría permitir a un atacante local autenticado acceder a información confidencial en un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-sc-Jd42D4Tq • CWE-798: Use of Hard-coded Credentials •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the web-based management interface of Cisco Smart Software Manager Satellite could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates values within SQL queries. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Smart Software Manager Satellite, podría permitir a un atacante remoto autenticado conducir ataques de inyección SQL en un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-sqi-h5fDvZWp • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •