CVE-2018-0458 – Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2018-0458
A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. Una vulnerabilidad en la interfaz de gestión web de Cisco Prime Collaboration Assurance podría permitir que un atacante remoto autenticado lleve a cabo un ataque Cross-Site Scripting (XSS) contra un usuario de dicha interfaz en un dispositivo afectado. • http://www.securityfocus.com/bid/105293 http://www.securitytracker.com/id/1041685 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-pca-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-15389 – Cisco Prime Collaboration Provisioning Intermittent Hard-Coded Password Vulnerability
https://notcve.org/view.php?id=CVE-2018-15389
A vulnerability in the install function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the administrative web interface using a default hard-coded username and password that are used during install. The vulnerability is due to a hard-coded password that, in some cases, is not replaced with a unique password. A successful exploit could allow the attacker to access the administrative web interface with administrator-level privileges. Una vulnerabilidad en la función de instalación de Cisco Prime Collaboration Provisioning (PCP) podría permitir que un atacante remoto no autenticado acceda a la interfaz web de administración mediante un usuario y contraseña por defecto embebidos empleados durante la instalación. La vulnerabilidad se debe a una contraseña embebida que, en algunos casos, no se reemplaza con una contraseña única. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-cpcp-password • CWE-255: Credentials Management Errors CWE-798: Use of Hard-coded Credentials •
CVE-2018-0391
https://notcve.org/view.php?id=CVE-2018-0391
A vulnerability in the password change function of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to cause the system to become inoperable. The vulnerability is due to insufficient validation of a password change request. An attacker could exploit this vulnerability by changing a specific administrator account password. A successful exploit could allow the attacker to cause the affected device to become inoperable, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.2 and prior. • http://www.securityfocus.com/bid/104942 http://www.securitytracker.com/id/1041409 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180801-pcp-dos • CWE-285: Improper Authorization •
CVE-2018-0335
https://notcve.org/view.php?id=CVE-2018-0335
A vulnerability in the web portal authentication process of Cisco Prime Collaboration Provisioning could allow an unauthenticated, local attacker to view sensitive data. The vulnerability is due to improper logging of authentication data. An attacker could exploit this vulnerability by monitoring a specific World-Readable file for this authentication data (Cleartext Passwords). An exploit could allow the attacker to gain authentication information for other users. Cisco Bug IDs: CSCvd86602. • http://www.securityfocus.com/bid/104473 http://www.securitytracker.com/id/1041069 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-cpcp-id • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials CWE-532: Insertion of Sensitive Information into Log File •
CVE-2018-0336
https://notcve.org/view.php?id=CVE-2018-0336
A vulnerability in the batch provisioning feature of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to escalate privileges to the Administrator level. The vulnerability is due to insufficient authorization enforcement on batch processing. An attacker could exploit this vulnerability by uploading a batch file and having the batch file processed by the system. A successful exploit could allow the attacker to escalate privileges to the Administrator level. Cisco Bug IDs: CSCvd86578. • http://www.securityfocus.com/bid/104429 http://www.securitytracker.com/id/1041083 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-escalation • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •