CVE-2020-3401 – Cisco SD-WAN vManage Software Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2020-3401
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to the affected system. A successful exploit could allow the attacker to view arbitrary files on the affected system. Una vulnerabilidad en la interfaz de administración basada en web de Cisco SD-WAN vManage Software podría permitir a un atacante remoto autenticado llevar a cabo ataques de salto de ruta y obtener acceso de lectura a archivos confidenciales sobre un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmandowndir-CVGvdKM3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-3388 – Cisco SD-WAN vManage Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3388
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated to access the CLI. A successful exploit could allow the attacker to execute commands with root privileges. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clibypvman-sKcLf2L • CWE-287: Improper Authentication •
CVE-2020-3387 – Cisco SD-WAN vManage Software Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-3387
A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to execute code with root privileges on an affected system. The vulnerability is due to insufficient input sanitization during user authentication processing. An attacker could exploit this vulnerability by sending a crafted response to the Cisco SD-WAN vManage Software. A successful exploit could allow the attacker to access the software and execute commands they should not be authorized to execute. Una vulnerabilidad en el Cisco SD-WAN vManage Software podría permitir a un atacante remoto autenticado ejecutar código con privilegios root sobre un sistema afectado. • http://packetstormsecurity.com/files/162958/Cisco-SD-WAN-vManage-19.2.2-Remote-Root.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanrce-4jtWT28P • CWE-20: Improper Input Validation •
CVE-2020-3381 – Cisco SD-WAN vManage Software Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2020-3381
A vulnerability in the web management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct directory traversal attacks and obtain read and write access to sensitive files on a targeted system. The vulnerability is due to a lack of proper validation of files that are uploaded to an affected device. An attacker could exploit this vulnerability by uploading a crafted file to an affected system. An exploit could allow the attacker to view or modify arbitrary files on the targeted system. Una vulnerabilidad en la interfaz de administración web de Cisco SD-WAN vManage Software podría permitir a un atacante remoto autenticado llevar a cabo ataques de salto de directorio y obtener acceso de lectura y escritura a archivos confidenciales en un sistema objetivo. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmdirtrav-eFdAxsJg • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-3378 – Cisco SD-WAN vManage Software SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3378
A vulnerability in the web-based management interface for Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data. Una vulnerabilidad en la interfaz de administración basada en web para Cisco SD-WAN vManage Software podría permitir a un atacante remoto autenticado afectar la integridad de un sistema afectado mediante una ejecución de consultas SQL arbitrarias. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sivm-M8wugR9O • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •