CVSS: 4.3EPSS: 0%CPEs: 1762EXPL: 0CVE-2019-1761 – Cisco IOS and IOS XE Software Hot Standby Router Protocol Information Leak Vulnerability
https://notcve.org/view.php?id=CVE-2019-1761
A vulnerability in the Hot Standby Router Protocol (HSRP) subsystem of Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent attacker to receive potentially sensitive information from an affected device. The vulnerability is due to insufficient memory initialization. An attacker could exploit this vulnerability by receiving HSRPv2 traffic from an adjacent HSRP member. A successful exploit could allow the attacker to receive potentially sensitive information from the adjacent device. Una vulnerabilidad en el subsistema Hot Standby Router Protocol (HSRP) de los softwares Cisco IOS y IOS XE podría permitir que un atacante adyacente sin autenticar reciba información potencialmente sensible desde un dispositivo afectado. • http://www.securityfocus.com/bid/107620 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-ios-infoleak • CWE-665: Improper Initialization •
CVSS: 5.9EPSS: 0%CPEs: 239EXPL: 0CVE-2019-1757 – Cisco IOS and IOS XE Software Smart Call Home Certificate Validation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1757
A vulnerability in the Cisco Smart Call Home feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. Una vulnerabilidad en la funcionalidad Cisco Smart Call Home de los softwares Cisco IOS y Cisco IOS XE podría permitir que un atacante remoto no autenticado obtenga acceso de lectura no autorizado a datos sensibles mediante un certificado inválido. • http://www.securityfocus.com/bid/107617 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-call-home-cert • CWE-295: Improper Certificate Validation •
CVSS: 9.0EPSS: 0%CPEs: 16EXPL: 0CVE-2019-1754 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1754
A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to improper validation of user privileges of web UI users. An attacker could exploit this vulnerability by submitting a malicious payload to a specific endpoint in the web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device. Una vulnerabilidad en el subsistema de autorización del software Cisco IOS XE podría permitir que un atacante remoto autenticado sin privilegios (nivel 1) ejecute comandos Cisco IOS privilegiados mediante el uso de la interfaz web. • http://www.securityfocus.com/bid/107590 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-privesc • CWE-20: Improper Input Validation CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 16EXPL: 0CVE-2019-1756 – Cisco IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1756
A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system. Una vulnerabilidad en el software Cisco IOS XE podría permitir que un atacante remoto autenticado ejecute comandos en el shell de Linux subyacente de un dispositivo afectado con privilegios root. • http://www.securityfocus.com/bid/107598 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 42EXPL: 0CVE-2019-1750 – Cisco IOS XE Software Catalyst 4500 Cisco Discovery Protocol Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1750
A vulnerability in the Easy Virtual Switching System (VSS) of Cisco IOS XE Software on Catalyst 4500 Series Switches could allow an unauthenticated, adjacent attacker to cause the switches to reload. The vulnerability is due to incomplete error handling when processing Cisco Discovery Protocol (CDP) packets used with the Easy Virtual Switching System. An attacker could exploit this vulnerability by sending a specially crafted CDP packet. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. Una vulnerabilidad en el VSS (Easy Virtual Switching System) del software Cisco IOS XE en los switches Catalyst 4500 Series podría permitir que un atacante adyacente no autenticado provoque la recarga de los switches. • http://www.securityfocus.com/bid/107607 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-evss • CWE-20: Improper Input Validation CWE-388: 7PK - Errors •