CVSS: 7.2EPSS: 0%CPEs: 118EXPL: 0CVE-2020-3214 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-3214
A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to escalate their privileges to a user with root-level privileges. The vulnerability is due to insufficient validation of user-supplied content. This vulnerability could allow an attacker to load malicious software onto an affected device. Una vulnerabilidad en Cisco IOS XE Software, podría permitir a un atacante local autenticado escalar sus privilegios hacia un usuario con privilegios de nivel root. La vulnerabilidad es debido a una comprobación insuficiente del contenido suministrado por el usuario. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-priv-esc2-A6jVRu7C • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.2EPSS: 0%CPEs: 192EXPL: 0CVE-2020-3213 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-3213
A vulnerability in the ROMMON of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to those of the root user of the underlying operating system. The vulnerability is due to the ROMMON allowing for special parameters to be passed to the device at initial boot up. An attacker could exploit this vulnerability by sending parameters to the device at initial boot up. An exploit could allow the attacker to elevate from a Priv15 user to the root user and execute arbitrary commands with the privileges of the root user. Una vulnerabilidad en el ROMMON de Cisco IOS XE Software, podría permitir a un atacante local autenticado elevar los privilegios a los del usuario root del sistema operativo subyacente. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-priv-esc3-GMgnGCHx • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2020-3212 – Cisco IOS XE Software Web UI Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3212
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by uploading a crafted file to the web UI of an affected device. A successful exploit could allow the attacker to inject and execute arbitrary commands with root privileges on the device. Una vulnerabilidad en la Interfaz de Usuario web de Cisco IOS XE Software, podría permitir a un atacante remoto autenticado ejecutar comandos arbitrarios con privilegios root en el sistema operativo subyacente de un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj3-44st5CcA • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 16EXPL: 0CVE-2020-3211 – Cisco IOS XE Software Web UI Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3211
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to improper input sanitization. An attacker who has valid administrative access to an affected device could exploit this vulnerability by supplying a crafted input parameter on a form in the web UI and then submitting that form. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the device, which could lead to complete system compromise. Una vulnerabilidad en la Interfaz de Usuario web de Cisco IOS XE Software, podría permitir a un atacante remoto autenticado ejecutar comandos arbitrarios con privilegios root en el sistema operativo subyacente de un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj4-S2TmH7GA • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 314EXPL: 0CVE-2020-3209 – Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-3209
A vulnerability in software image verification in Cisco IOS XE Software could allow an unauthenticated, physical attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. The vulnerability is due to an improper check on the area of code that manages the verification of the digital signatures of system image files during the initial boot process. An attacker could exploit this vulnerability by loading unsigned software on an affected device. A successful exploit could allow the attacker to install and boot a malicious software image or execute unsigned binaries on the targeted device. Una vulnerabilidad en la verificación de la imagen del software en Cisco IOS XE Software, podría permitir a un atacante físico no autenticado instalar y arrancar una imagen de software malicioso o ejecutar archivos binarios sin firmar sobre un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-digsig-bypass-FYQ3bmVq • CWE-347: Improper Verification of Cryptographic Signature •