CVE-2018-0312
https://notcve.org/view.php?id=CVE-2018-0312
A vulnerability in the Cisco Fabric Services component of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device. The vulnerability exists because the affected software insufficiently validates Cisco Fabric Services packet headers when the software processes packet data. An attacker could exploit this vulnerability by sending a maliciously crafted Cisco Fabric Services packet to an affected device. A successful exploit could allow the attacker to cause a buffer overflow condition on the device, which could allow the attacker to execute arbitrary code or cause a DoS condition on the device. This vulnerability affects the following if configured to use Cisco Fabric Services: Firepower 4100 Series Next-Generation Firewalls, Firepower 9300 Security Appliance, MDS 9000 Series Multilayer Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 Series Fabric Interconnects, UCS 6200 Series Fabric Interconnects, UCS 6300 Series Fabric Interconnects. • http://www.securityfocus.com/bid/104515 http://www.securitytracker.com/id/1041169 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-cli-execution • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2018-0338
https://notcve.org/view.php?id=CVE-2018-0338
A vulnerability in the role-based access-checking mechanisms of Cisco Unified Computing System (UCS) Software could allow an authenticated, local attacker to execute arbitrary commands on an affected system. The vulnerability exists because the affected software lacks proper input and validation checks for certain file systems. An attacker could exploit this vulnerability by issuing crafted commands in the CLI of an affected system. A successful exploit could allow the attacker to cause other users to execute unwanted arbitrary commands on the affected system. Cisco Bug IDs: CSCvf52994. • http://www.securityfocus.com/bid/104456 http://www.securitytracker.com/id/1041071 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ucs-access • CWE-20: Improper Input Validation CWE-863: Incorrect Authorization •
CVE-2018-0238
https://notcve.org/view.php?id=CVE-2018-0238
A vulnerability in the role-based resource checking functionality of the Cisco Unified Computing System (UCS) Director could allow an authenticated, remote attacker to view unauthorized information for any virtual machine in the UCS Director end-user portal and perform any permitted operations on any virtual machine. The permitted operations can be configured for the end user on the virtual machines with either of the following settings: The virtual machine is associated to a Virtual Data Center (VDC) that has an end user self-service policy attached to the VDC. The end user role has VM Management Actions settings configured under User Permissions. This is a global configuration, so all the virtual machines visible in the end-user portal will have the VM management actions available. The vulnerability is due to improper user authentication checks. • http://www.securityfocus.com/bid/103919 http://www.securitytracker.com/id/1040708 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-uscd • CWE-287: Improper Authentication •
CVE-2018-0219
https://notcve.org/view.php?id=CVE-2018-0219
A vulnerability in the web-based management interface of Cisco Unified Computing System (UCS) Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvg86518. • http://www.securityfocus.com/bid/103326 http://www.securitytracker.com/id/1040467 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-ucs • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-0113
https://notcve.org/view.php?id=CVE-2018-0113
A vulnerability in an operations script of Cisco UCS Central could allow an authenticated, remote attacker to execute arbitrary shell commands with the privileges of the daemon user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by posting a crafted request to the user interface of Cisco UCS Central. This vulnerability affects Cisco UCS Central Software prior to Release 2.0(1c). Cisco Bug IDs: CSCve70825. • http://www.securityfocus.com/bid/102966 http://www.securitytracker.com/id/1040337 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-ucsc • CWE-20: Improper Input Validation •