2 results (0.002 seconds)

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the CLI of Cisco Unity Express could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. To exploit this vulnerability, an attacker would need valid administrator credentials. The vulnerability is due to improper input validation for certain CLI commands that are executed on a vulnerable system. An attacker could exploit this vulnerability by logging in to the system and sending crafted CLI commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-unity-exp-comm-inject • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 59%CPEs: 1EXPL: 0

A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Una vulnerabilidad de deserialización Java en Cisco Unity Express (CUE) podría permitir que un atacante remoto no autenticado ejecute comandos shell arbitrarios con los privilegios del usuario root. • http://www.securityfocus.com/bid/105876 http://www.securitytracker.com/id/1042130 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue • CWE-502: Deserialization of Untrusted Data •