CVSS: 7.1EPSS: 0%CPEs: 14EXPL: 0CVE-2022-20850 – Cisco SD-WAN Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2022-20850
A vulnerability in the CLI of stand-alone Cisco IOS XE SD-WAN Software and Cisco SD-WAN Software could allow an authenticated, local attacker to delete arbitrary files from the file system of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary file path information when using commands in the CLI of an affected device. A successful exploit could allow the attacker to delete arbitrary files from the file system of the affected device. Una vulnerabilidad en la CLI del software Cisco IOS XE SD-WAN independiente y del software Cisco SD-WAN podría permitir a un atacante local autenticado eliminar archivos arbitrarios del sistema de archivos de un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-arb-file-delete-VB2rVcQv • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 83EXPL: 1CVE-2022-20818 – Cisco SD-WAN Software Privilege Escalation Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-20818
Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malicious command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user. Múltiples vulnerabilidades en la CLI del software Cisco SD-WAN podrían permitir a un atacante local autenticado conseguir altos privilegios. • https://github.com/mbadanoiu/CVE-2022-20818 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-25: Path Traversal: '/../filedir' •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2021-22956
https://notcve.org/view.php?id=CVE-2021-22956
An uncontrolled resource consumption vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 that could allow an attacker with access to NSIP or SNIP with management interface access to cause a temporary disruption of the Management GUI, Nitro API, and RPC communication. Se presenta una vulnerabilidad de consumo no controlado de recursos en Citrix ADC versiones anteriores a 13.0-83.27, versiones anteriores a 12.1-63.22 y 11.1-65.23 que podría permitir a un atacante con acceso a NSIP o SNIP con acceso a la interfaz de administración causar una interrupción temporal de la GUI de administración, la API Nitro y la comunicación RPC • https://support.citrix.com/article/CTX330728 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-1612 – Cisco IOS XE SD-WAN Software Arbitrary File Overwrite Vulnerability
https://notcve.org/view.php?id=CVE-2021-1612
A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to overwrite arbitrary files on the local system. This vulnerability is due to improper access controls on files within the local file system. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on an affected device. Una vulnerabilidad en la CLI de Cisco IOS XE SD-WAN Software podría permitir a un atacante local autenticado sobrescribir archivos arbitrarios en el sistema local. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-GjR5pGOm • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2021-34726 – Cisco SD-WAN Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-34726
A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root-level privileges on the underlying operating system of an affected device. This vulnerability is due to insufficient input validation on certain CLI commands. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to execute commands with root-level privileges. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-maapi-cmdinjec-znUYTuC • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •