CVSS: 7.2EPSS: 0%CPEs: 63EXPL: 1CVE-2021-1383 – Cisco IOS XE SD-WAN Software Parameter Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2021-1383
Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system with root privileges. These vulnerabilities are due to insufficient input validation of certain CLI commands. An attacker could exploit these vulnerabilities by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to access the underlying operating system with root privileges. • https://github.com/orangecertcc/security-research/security/advisories/GHSA-vw54-f9mw-g46r https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwpinj-V4weeqzU • CWE-20: Improper Input Validation CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2021-1454 – Cisco IOS XE SD-WAN Software Parameter Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2021-1454
Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system with root privileges. These vulnerabilities are due to insufficient input validation of certain CLI commands. An attacker could exploit these vulnerabilities by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to access the underlying operating system with root privileges. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwpinj-V4weeqzU • CWE-20: Improper Input Validation CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.3EPSS: 0%CPEs: 26EXPL: 0CVE-2021-1432 – Cisco IOS XE SD-WAN Software Arbitrary Command Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-1432
A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as the root user. The attacker must be authenticated on the affected device as a low-privileged user to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by injecting arbitrary commands to a file as a lower-privileged user. The commands are then executed on the device by the root user. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-sdwarbcmdexec-sspOMUr3 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-1225 – Cisco SD-WAN vManage SQL Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2021-1225
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct SQL injection attacks on an affected system. These vulnerabilities exist because the web-based management interface improperly validates values in SQL queries. An attacker could exploit these vulnerabilities by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system. Varias vulnerabilidades en la interfaz de administración basada en web del Software Cisco SD-WAN vManage, podrían permitir a un atacante remoto no autenticado conducir ataques de inyección SQL en un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vman-sqlinjm-xV8dsjq5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.6EPSS: 0%CPEs: 22EXPL: 0CVE-2021-1241 – Cisco SD-WAN Denial of Service Vulnerabilities
https://notcve.org/view.php?id=CVE-2021-1241
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Varias vulnerabilidades en los productos Cisco SD-WAN, podrían permitir a un atacante remoto no autenticado ejecutar ataques de denegación de servicio (DoS) contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-dosmulti-48jJuEUP • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •