CVE-2017-3868
https://notcve.org/view.php?id=CVE-2017-3868
A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvc44344. Known Affected Releases: 6.0(0.0). Una vulnerabilidad en la interfaz de administración basada en web de Cisco UCS Director podría permitir que un atacante remoto no autenticado lleve a cabo un ataque XSS contra un usuario de la interfaz de administración basada en web de un dispositivo afectado. Más información: CSCvc44344. • http://www.securityfocus.com/bid/96921 http://www.securitytracker.com/id/1038039 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-ucs • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-3801
https://notcve.org/view.php?id=CVE-2017-3801
A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765. • http://www.securityfocus.com/bid/96235 http://www.securitytracker.com/id/1037830 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucs • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVE-2015-6259
https://notcve.org/view.php?id=CVE-2015-6259
The JavaServer Pages (JSP) component in Cisco Integrated Management Controller (IMC) Supervisor before 1.0.0.1 and UCS Director (formerly Cloupia Unified Infrastructure Controller) before 5.2.0.1 allows remote attackers to write to arbitrary files via crafted HTTP requests, aka Bug IDs CSCus36435 and CSCus62625. Vulnerabilidad en el componente JavaServer Pages (JSP) en Cisco Integrated Management Controller (IMC) Supervisor en versiones anteriores a 1.0.0.1 y UCS Director (anteriormente Cloupia Unified Infrastructure Controller) en versiones anteriores a 5.2.0.1, permite a atacantes remotos escribir en archivos arbitrarios a través de peticiones HTTP manipuladas, también conocida como Bug IDs CSCus36435 y CSCus62625. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150902-cimcs http://www.securitytracker.com/id/1033451 • CWE-20: Improper Input Validation •