CVE-2018-0318
https://notcve.org/view.php?id=CVE-2018-0318
A vulnerability in the password reset function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to insufficient validation of a password reset request. An attacker could exploit this vulnerability by submitting a password reset request and changing the password for any user on an affected system. An exploit could allow the attacker to gain administrative-level privileges on the affected system. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 11.6 and prior. • http://www.securityfocus.com/bid/104434 http://www.securitytracker.com/id/1041082 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-password-reset • CWE-255: Credentials Management Errors CWE-287: Improper Authentication •
CVE-2018-0141
https://notcve.org/view.php?id=CVE-2018-0141
A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software 11.6 could allow an unauthenticated, local attacker to log in to the underlying Linux operating system. The vulnerability is due to a hard-coded account password on the system. An attacker could exploit this vulnerability by connecting to the affected system via Secure Shell (SSH) using the hard-coded credentials. A successful exploit could allow the attacker to access the underlying operating system as a low-privileged user. After low-level privileges are gained, the attacker could elevate to root privileges and take full control of the device. • http://www.securityfocus.com/bid/103329 http://www.securitytracker.com/id/1040462 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-cpcp • CWE-798: Use of Hard-coded Credentials •
CVE-2017-12276
https://notcve.org/view.php?id=CVE-2017-12276
A vulnerability in the web framework code for the SQL database interface of the Cisco Prime Collaboration Provisioning application could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. The attacker could read or write information from the SQL database. The vulnerability is due to a lack of proper validation on user-supplied input within SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected application. An exploit could allow the attacker to determine the presence of certain values and write malicious input in the SQL database. • http://www.securityfocus.com/bid/101640 http://www.securitytracker.com/id/1039711 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-6706
https://notcve.org/view.php?id=CVE-2017-6706
A vulnerability in the logging subsystem of the Cisco Prime Collaboration Provisioning tool could allow an unauthenticated, local attacker to acquire sensitive information. More Information: CSCvd07260. Known Affected Releases: 12.1. Una vulnerabilidad en el subsistema de registro de la herramienta Prime Collaboration Provisioning de Cisco, podría permitir a un atacante local no identificado adquirir información confidencial. Más información: CSCvd07260. • http://www.securityfocus.com/bid/99204 http://www.securitytracker.com/id/1038744 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-pcp4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-6703
https://notcve.org/view.php?id=CVE-2017-6703
A vulnerability in the web application in the Cisco Prime Collaboration Provisioning tool could allow an unauthenticated, remote attacker to hijack another user's session. More Information: CSCvc90346. Known Affected Releases: 12.1. Una vulnerabilidad en la aplicación web en la herramienta Prime Collaboration Provisioning de Cisco, podría permitir a un atacante remoto no identificado secuestrar la sesión de otro usuario. Más información: CSCvc90346. • http://www.securityfocus.com/bid/99224 http://www.securitytracker.com/id/1038744 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-pcp1 • CWE-287: Improper Authentication •