CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-20110 – Cisco Smart Software Manager On-Prem SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-20110
A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read sensitive data on the underlying database. • https://github.com/redfr0g/CVE-2023-20110 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-sql-X9MmjSYh • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34766 – Cisco Smart Software Manager Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-34766
A vulnerability in the web UI of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges and create, read, update, or delete records and settings in multiple functions. This vulnerability is due to insufficient authorization of the System User and System Operator role capabilities. An attacker could exploit this vulnerability by directly accessing a web resource. A successful exploit could allow the attacker to create, read, update, or delete records and settings in multiple functions without the necessary permissions on the web UI. Una vulnerabilidad en la interfaz de usuario web de Cisco Smart Software Manager On-Prem (SSM On-Prem) podría permitir a un atacante remoto autenticado elevar los privilegios y crear, leer, actualizar o eliminar registros y configuraciones en múltiples funciones. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-priv-esc-5g35cdDJ • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3245 – Cisco Smart Software Manager On-Prem Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2020-3245
A vulnerability in the web application of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to create arbitrary user accounts. The vulnerability is due to the lack of authorization controls in the web application. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to add user accounts to the configuration of an affected device. These accounts would not be administrator or operator accounts. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-on-prem-access-ctrl-fpQRfdpf • CWE-284: Improper Access Control CWE-862: Missing Authorization •