CVE-2017-12276
https://notcve.org/view.php?id=CVE-2017-12276
A vulnerability in the web framework code for the SQL database interface of the Cisco Prime Collaboration Provisioning application could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. The attacker could read or write information from the SQL database. The vulnerability is due to a lack of proper validation on user-supplied input within SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected application. An exploit could allow the attacker to determine the presence of certain values and write malicious input in the SQL database. • http://www.securityfocus.com/bid/101640 http://www.securitytracker.com/id/1039711 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-6759
https://notcve.org/view.php?id=CVE-2017-6759
A vulnerability in the UpgradeManager of the Cisco Prime Collaboration Provisioning Tool 12.1 could allow an authenticated, remote attacker to write arbitrary files as root on the system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by triggering the upgrade package installation functionality. Cisco Bug IDs: CSCvc90304. Una vulnerabilidad en UpgradeManager del Cisco Prime Collaboration Provisioning Tool 12.1 podría permitir que un atacante remoto autenticado escriba archivos arbitrarios como root en el sistema. • http://www.securitytracker.com/id/1039062 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc90304 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-pcpt • CWE-20: Improper Input Validation •
CVE-2017-6756
https://notcve.org/view.php?id=CVE-2017-6756
A vulnerability in the Web UI Application of the Cisco Prime Collaboration Provisioning Tool through 12.2 could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of defense against cross-site request forgery (CSRF) attacks. An attacker could exploit this vulnerability by forcing the user's browser to perform any action authorized for that user. Cisco Bug IDs: CSCvc90280. Una vulnerabilidad en la aplicación de interfaz de usuario web de Cisco Prime Collaboration Provisioning Tool en su versión 12.2 podría permitir que un atacante remoto sin autenticar ejecute acciones no deseadas. • http://www.securityfocus.com/bid/100112 http://www.securitytracker.com/id/1039061 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-pcpt1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-6755
https://notcve.org/view.php?id=CVE-2017-6755
A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning (PCP) Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvc90312. Known Affected Releases: 12.1. Una vulnerabilidad en el portal web de Cisco Prime Collaboration Provisioning (PCP) Tool podría permitir que un atacante remoto sin autenticar lleve a cabo un ataque de Cross-Site Scripting (XSS) contra un usuario de dicha interfaz web en el sistema afectado. Más información: CSCvc90312. • http://www.securityfocus.com/bid/99878 http://www.securitytracker.com/id/1038960 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170719-pcpt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-6706
https://notcve.org/view.php?id=CVE-2017-6706
A vulnerability in the logging subsystem of the Cisco Prime Collaboration Provisioning tool could allow an unauthenticated, local attacker to acquire sensitive information. More Information: CSCvd07260. Known Affected Releases: 12.1. Una vulnerabilidad en el subsistema de registro de la herramienta Prime Collaboration Provisioning de Cisco, podría permitir a un atacante local no identificado adquirir información confidencial. Más información: CSCvd07260. • http://www.securityfocus.com/bid/99204 http://www.securitytracker.com/id/1038744 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-pcp4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •