CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3337 – Cisco Umbrella Open Redirect Vulnerability
https://notcve.org/view.php?id=CVE-2020-3337
A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to redirect a user to an undesired web page. The vulnerability is due to improper input validation of the URL parameters in an HTTP request that is sent to an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request that could cause the web application to redirect the request to a specified malicious URL. A successful exploit could allow the attacker to redirect a user to a malicious website. Una vulnerabilidad en el servidor web de Cisco Umbrella, podría permitir a un atacante remoto no autenticado redireccionar a un usuario hacia una página web no deseada. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-open-redire-UgK9dWK4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3246 – Cisco Umbrella Carriage Return Line Feed Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3246
A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user of an affected service. The vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to access a crafted URL. A successful exploit could allow the attacker to inject arbitrary HTTP headers into valid HTTP responses sent to the browser of the user. Una vulnerabilidad en el servidor web de Cisco Umbrella podría permitir a un atacante remoto no autenticado llevar a cabo un ataque de inyección de tipo carriage return line feed (CRLF) contra un usuario de un servicio afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-head-inject-n4QArJH • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1807 – Cisco Umbrella Dashboard Session Management Vulnerability
https://notcve.org/view.php?id=CVE-2019-1807
A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user session. The vulnerability exists due to the affected application not invalidating an existing session when a user authenticates to the application and changes the users credentials via another authenticated session. An attacker could exploit this vulnerability by using a separate, authenticated, active session to connect to the application through the web UI. A successful exploit could allow the attacker to maintain access to the dashboard via an authenticated user's browser session. Cisco has addressed this vulnerability in the Cisco Umbrella Dashboard. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-udb-sm • CWE-384: Session Fixation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1792 – Cisco Umbrella Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-1792
A vulnerability in the URL block page of Cisco Umbrella could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user in a network protected by Umbrella. The vulnerability is due to insufficient validation of input parameters passed to that page. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. This vulnerability has been fixed in the current version of Cisco Umbrella. • http://www.securityfocus.com/bid/108014 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-umbrella-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0435 – Cisco Umbrella API Unauthorized Access Vulnerability
https://notcve.org/view.php?id=CVE-2018-0435
A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations. The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations. Una vulnerabilidad en la API de Cisco Umbrella podría permitir a un atacante remoto autenticado visualizar y modificar datos en toda su organización y en otras organizaciones. • http://www.securityfocus.com/bid/105283 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-api • CWE-287: Improper Authentication •