CVSS: 9.0EPSS: 0%CPEs: 15EXPL: 0CVE-2019-1753 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1753
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to a failure to validate and sanitize input in Web Services Management Agent (WSMA) functions. An attacker could exploit this vulnerability by submitting a malicious payload to the affected device's web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device. Una vulnerabilidad en la interfaz web del software Cisco IOS XE podría permitir que un atacante remoto autenticado sin privilegios (nivel 1) ejecute comandos Cisco IOS privilegiados mediante el uso de la interfaz web. • http://www.securityfocus.com/bid/107602 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-pe • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 48EXPL: 0CVE-2019-1749 – Cisco Aggregation Services Router 900 Route Switch Processor 3 OSPFv2 Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1749
A vulnerability in the ingress traffic validation of Cisco IOS XE Software for Cisco Aggregation Services Router (ASR) 900 Route Switch Processor 3 (RSP3) could allow an unauthenticated, adjacent attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability exists because the software insufficiently validates ingress traffic on the ASIC used on the RSP3 platform. An attacker could exploit this vulnerability by sending a malformed OSPF version 2 (OSPFv2) message to an affected device. A successful exploit could allow the attacker to cause a reload of the iosd process, triggering a reload of the affected device and resulting in a DoS condition. Una vulnerabilidad en la validación del tráfico entrante del software Cisco IOS XE para Cisco Aggregation Services Router (ASR) 900 Route Switch Processor 3 (RSP3) podría permitir que un atacante adyacente no autenticado desencadene la recarga de un dispositivo afectado, lo que resulta en una condición de denegación de servicio (DoS). • http://www.securityfocus.com/bid/107615 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-rsp3-ospf • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 155EXPL: 0CVE-2019-1745 – Cisco IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1745
A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with elevated privileges. The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. An exploit could allow the attacker to gain root privileges on the affected device. Una vulnerabilidad en el software Cisco IOS XE podría permitir que un atacante local autenticado inyecte comandos arbitrarios que se ejecutan con privilegios elevados. • http://www.securityfocus.com/bid/107588 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xecmd • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 31EXPL: 0CVE-2019-1743 – Cisco IOS XE Software Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2019-1743
A vulnerability in the web UI framework of Cisco IOS XE Software could allow an authenticated, remote attacker to make unauthorized changes to the filesystem of the affected device. The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by crafting a malicious file and uploading it to the device. An exploit could allow the attacker to gain elevated privileges on the affected device. Una vulnerabilidad en el framework de la interfaz web del software Cisco IOS XE podría permitir que un atacante remoto autenticado realice cambios no autorizados en el sistema de archivos del dispositivo afectado. • http://www.securityfocus.com/bid/107591 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-afu • CWE-20: Improper Input Validation •
CVSS: 8.6EPSS: 0%CPEs: 14EXPL: 0CVE-2019-1741 – Cisco IOS XE Software Encrypted Traffic Analytics Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1741
A vulnerability in the Cisco Encrypted Traffic Analytics (ETA) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a logic error that exists when handling a malformed incoming packet, leading to access to an internal data structure after it has been freed. An attacker could exploit this vulnerability by sending crafted, malformed IP packets to an affected device. A successful exploit could allow the attacker to cause an affected device to reload, resulting in a DoS condition. Una vulnerabilidad en la característica ETA (Cisco Encrypted Traffic Analytics) del software Cisco IOS XE podría permitir que un atacante remoto sin autenticar provoque una denegación de servicio (DoS). • http://www.securityfocus.com/bid/107614 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-eta-dos • CWE-20: Improper Input Validation CWE-416: Use After Free •