CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0322
https://notcve.org/view.php?id=CVE-2018-0322
A vulnerability in the web management interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to modify sensitive data that is associated with arbitrary accounts on an affected device. The vulnerability is due to a failure to enforce access restrictions on the Help Desk and User Provisioning roles that are assigned to authenticated users. This failure could allow an authenticated attacker to modify critical attributes of higher-privileged accounts on the device. A successful exploit could allow the attacker to gain elevated privileges on the device. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.1 and prior. • http://www.securityfocus.com/bid/104443 http://www.securitytracker.com/id/1041064 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-access • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0320
https://notcve.org/view.php?id=CVE-2018-0320
A vulnerability in the web framework code of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The vulnerability is due to a lack of proper validation on user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected application. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.1 and prior. Cisco Bug IDs: CSCvd61754. • http://www.securityfocus.com/bid/104416 http://www.securitytracker.com/id/1041084 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-sql • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0317
https://notcve.org/view.php?id=CVE-2018-0317
A vulnerability in the web interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to escalate their privileges. The vulnerability is due to insufficient web portal access control checks. An attacker could exploit this vulnerability by modifying an access request. An exploit could allow the attacker to promote their account to any role defined on the system. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.2 and prior. • http://www.securityfocus.com/bid/104432 http://www.securitytracker.com/id/1041080 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-bypass • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0204
https://notcve.org/view.php?id=CVE-2018-0204
A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning Tool could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition for individual users. The vulnerability is due to weak login controls. An attacker could exploit this vulnerability by using a brute-force attack (Repeated Bad Login Attempts). A successful exploit could allow the attacker to restrict user access. Manual administrative intervention is required to restore access. • http://www.securityfocus.com/bid/103150 http://www.securitytracker.com/id/1040410 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-pcpt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-521: Weak Password Requirements •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0205
https://notcve.org/view.php?id=CVE-2018-0205
A vulnerability in the User Provisioning tab in the Cisco Prime Collaboration Provisioning Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by placing a malicious string in the Prime Collaboration Provisioning database. A successful exploit could allow the attacker to access Cisco Prime Collaboration Provisioning by injecting crafted data into the database. Cisco Bug IDs: CSCvd86609. • http://www.securityfocus.com/bid/103145 http://www.securitytracker.com/id/1040409 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-pcpt1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •