CVSS: 9.0EPSS: 0%CPEs: 38EXPL: 0CVE-2019-1755 – Cisco IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1755
A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted HTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands on the affected device. Una vulnerabilidad en la función WSMA (Web Services Management Agent) del software Cisco IOS XE podría permitir que un atacante remoto autenticado ejecute comandos arbitrarios de Cisco IOS como usuario con nivel 15 de privilegios. • http://www.securityfocus.com/bid/107380 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 16EXPL: 0CVE-2019-1756 – Cisco IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1756
A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system. Una vulnerabilidad en el software Cisco IOS XE podría permitir que un atacante remoto autenticado ejecute comandos en el shell de Linux subyacente de un dispositivo afectado con privilegios root. • http://www.securityfocus.com/bid/107598 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 15EXPL: 0CVE-2019-1753 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1753
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to a failure to validate and sanitize input in Web Services Management Agent (WSMA) functions. An attacker could exploit this vulnerability by submitting a malicious payload to the affected device's web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device. Una vulnerabilidad en la interfaz web del software Cisco IOS XE podría permitir que un atacante remoto autenticado sin privilegios (nivel 1) ejecute comandos Cisco IOS privilegiados mediante el uso de la interfaz web. • http://www.securityfocus.com/bid/107602 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-pe • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 930EXPL: 0CVE-2019-1748 – Cisco IOS and IOS XE Software Network Plug-and-Play Agent Certificate Validation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1748
A vulnerability in the Cisco Network Plug-and-Play (PnP) agent of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. The vulnerability exists because the affected software insufficiently validates certificates. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt and modify confidential information on user connections to the affected software. Una vulnerabilidad en el agente Cisco Network Plug-and-Play (PnP) de los softwares Cisco IOS y Cisco IOS XE podría permitir que un atacante remoto no autenticado obtenga acceso no autorizado a datos sensibles. • http://www.securityfocus.com/bid/107619 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-pnp-cert • CWE-295: Improper Certificate Validation •
CVSS: 7.4EPSS: 0%CPEs: 567EXPL: 0CVE-2019-1746 – Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1746
A vulnerability in the Cluster Management Protocol (CMP) processing code in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient input validation when processing CMP management packets. An attacker could exploit this vulnerability by sending malicious CMP management packets to an affected device. A successful exploit could cause the switch to crash, resulting in a DoS condition. The switch will reload automatically. • http://www.securityfocus.com/bid/107612 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-cmp-dos • CWE-20: Improper Input Validation •