CVSS: 5.3EPSS: 54%CPEs: 1EXPL: 1CVE-2019-1622 – Cisco Data Center Network Manager Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-1622
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software. An attacker could exploit this vulnerability by connecting to the web-based management interface of an affected device and requesting specific URLs. A successful exploit could allow the attacker to download log files and diagnostic information from the affected device. Una vulnerabilidad en el interfaz de administración del web-based de Cisco Data Center Network Manager (DCNM) podría permitir a un atacante remoto no identificado recuperar información confidencial desde un dispositivo afectado. • https://www.exploit-db.com/exploits/47347 http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2019/Jul/7 http://www.securityfocus.com/bid/108908 https://seclists.org/bugtraq/2019/Jul/11 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-infodiscl • CWE-284: Improper Access Control CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 19%CPEs: 1EXPL: 1CVE-2019-1619 – Cisco Data Center Network Manager Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2019-1619
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device. Una vulnerabilidad en el interfaz de administración Web- based de Cisco Data Center Network Manager (DCNM) podría permitir a un atacante remoto sin autorización eludir la identificación y ejecutar acciones arbitrarias con privilegios administrativos en el dispositivo afectado. • https://www.exploit-db.com/exploits/47347 http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2019/Jul/7 http://www.securityfocus.com/bid/108902 https://seclists.org/bugtraq/2019/Jul/11 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass • CWE-284: Improper Access Control CWE-798: Use of Hard-coded Credentials •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0440 – Cisco Data Center Network Manager Privilege Escalation to Underlying Operating System Vulnerability
https://notcve.org/view.php?id=CVE-2018-0440
A vulnerability in the web interface of Cisco Data Center Network Manager could allow an authenticated application administrator to execute commands on the underlying operating system with root-level privileges. The vulnerability is due to incomplete input validation of user input within an HTTP request. An attacker could exploit this vulnerability by authenticating to the application and then sending a crafted HTTP request to the targeted application. A successful exploit could allow the authenticated attacker to issue commands on the underlying operating system as the root user. Una vulnerabilidad en la interfaz web de Cisco Data Center Network Manager podría permitir que un administrador de la aplicación autenticado ejecute comandos en el sistema operativo subyacente con privilegios a nivel de root. • http://www.securitytracker.com/id/1041682 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cdcnm-escalation • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0450 – Cisco Data Center Network Manager Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2018-0450
A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the management interface on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. Una vulnerabilidad en la interfaz de gestión web de Cisco Data Center Network Manager podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS) contra un usuario de dicha interfaz en un dispositivo afectado. • http://www.securityfocus.com/bid/105288 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-dcnm-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0210
https://notcve.org/view.php?id=CVE-2018-0210
A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections on the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. Cisco Bug IDs: CSCvg88291. • http://www.securityfocus.com/bid/103335 http://www.securitytracker.com/id/1040465 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-dcnm • CWE-352: Cross-Site Request Forgery (CSRF) •