CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-20812 – Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-20812
Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. Note: Cisco Expressway Series refers to the Expressway Control (Expressway-C) device and the Expressway Edge (Expressway-E) device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la API y en la interfaz de administración basada en web de la serie Expressway de Cisco y del servidor de comunicaciones de vídeo (VCS) de Cisco TelePresence podrían permitir a un atacante remoto sobrescribir archivos arbitrarios o conducir ataques de envenenamiento de bytes nulos en un dispositivo afectado. Nota: La serie Expressway de Cisco es referida al dispositivo Expressway Control (Expressway-C) y al dispositivo Expressway Edge (Expressway-E). • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-sqpsSfY6 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-overwrite-3buqW8LH • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-158: Improper Neutralization of Null Byte or NUL Character •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-34715 – Cisco Expressway Series and TelePresence Video Communication Server Image Verification Vulnerability
https://notcve.org/view.php?id=CVE-2021-34715
A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system. Una vulnerabilidad en la función de comprobación de imagen de Cisco Expressway Series y Cisco TelePresence Video Communication Server (VCS) podría permitir a un atacante autenticado remoto ejecutar código con privilegios de usuario interno en el sistema operativo subyacente. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewver-c6WZPXRx • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-3482 – Cisco Expressway Software Unauthorized Access Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-3482
A vulnerability in the Traversal Using Relays around NAT (TURN) server component of Cisco Expressway software could allow an unauthenticated, remote attacker to bypass security controls and send network traffic to restricted destinations. The vulnerability is due to improper validation of specific connection information by the TURN server within the affected software. An attacker could exploit this issue by sending specially crafted network traffic to the affected software. A successful exploit could allow the attacker to send traffic through the affected software to destinations beyond the application, possibly allowing the attacker to gain unauthorized network access. Una vulnerabilidad en el componente servidor Traversal Using Relays around NAT (TURN) del software Cisco Expressway, podría permitir a un atacante remoto no autenticado omitir los controles de seguridad y enviar tráfico de red hacia destinos restringidos. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-Expressway-8J3yZ7hV • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-3596 – Cisco Expressway Series and TelePresence Video Communication Server Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2020-3596
A vulnerability in the Session Initiation Protocol (SIP) of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to incorrect handling of incoming SIP traffic. An attacker could exploit this vulnerability by sending a series of SIP packets to an affected device. A successful exploit could allow the attacker to exhaust memory on an affected device, causing it to crash and leading to a DoS condition. Una vulnerabilidad en el Session Initiation Protocol (SIP) de Cisco Expressway Series y Cisco TelePresence Video Communication Server (VCS), podría permitir a un atacante remoto no autenticado causar una condición de denegación de servicio (DoS) en un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-vcs-dos-n6xxTMZB • CWE-670: Always-Incorrect Control Flow Implementation CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 8.6EPSS: 0%CPEs: 32EXPL: 0CVE-2017-3790
https://notcve.org/view.php?id=CVE-2017-3790
A vulnerability in the received packet parser of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software could allow an unauthenticated, remote attacker to cause a reload of the affected system, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient size validation of user-supplied data. An attacker could exploit this vulnerability by sending crafted H.224 data in Real-Time Transport Protocol (RTP) packets in an H.323 call. An exploit could allow the attacker to overflow a buffer in a cache that belongs to the received packet parser, which will result in a crash of the application, resulting in a DoS condition. All versions of Cisco Expressway Series Software and Cisco TelePresence VCS Software prior to version X8.8.2 are vulnerable. • http://www.securityfocus.com/bid/95786 http://www.securitytracker.com/id/1037697 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-expressway • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-399: Resource Management Errors •