CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-1825 – Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2019-1825
16 May 2019 — A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries. This vulnerability exist because the software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains malicious SQL statements to the affected application. A successful exploit could allow the att... • http://www.securityfocus.com/bid/108337 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.0EPSS: 0%CPEs: 30EXPL: 1CVE-2017-6662 – Cisco Prime Infrastructure 3.1.6 XXE Injection / XSS / LFD / SQL Injection
https://notcve.org/view.php?id=CVE-2017-6662
22 Jun 2017 — A vulnerability in the web-based user interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker must have valid user credentials. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the adminis... • https://packetstorm.news/files/id/143111 • CWE-20: Improper Input Validation CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2017-6698 – Cisco Prime Infrastructure 3.1.6 XXE Injection / XSS / LFD / SQL Injection
https://notcve.org/view.php?id=CVE-2017-6698
22 Jun 2017 — A vulnerability in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) SQL database interface could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. More Information: CSCvc23892 CSCvc35270 CSCvc35626 CSCvc35630 CSCvc49568. Known Affected Releases: 3.1(1) 2.0(4.0.45B). Una vulnerabilidad en la interfaz de base de datos SQL de Prime Infrastructure (PI) y Evolved Programm... • https://packetstorm.news/files/id/143111 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2017-6699 – Cisco Prime Infrastructure 3.1.6 XXE Injection / XSS / LFD / SQL Injection
https://notcve.org/view.php?id=CVE-2017-6699
22 Jun 2017 — A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvc24616 CSCvc35363 CSCvc49574. Known Affected Releases: 3.1(1) 2.0(4.0.45B). Una vulnerabilidad en la interfaz de administración basada en web de Prime Infrastructure (PI) y... • https://packetstorm.news/files/id/143111 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-6700 – Cisco Prime Infrastructure 3.1.6 XXE Injection / XSS / LFD / SQL Injection
https://notcve.org/view.php?id=CVE-2017-6700
22 Jun 2017 — A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an unauthenticated, remote attacker to conduct a Document Object Model (DOM) based (environment or client-side) cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvc24620 CSCvc49586. Known Affected Releases: 3.1(1) 2.0(4.0.45B). Una vulnerabilidad en la interfaz de administración ba... • https://packetstorm.news/files/id/143111 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 18EXPL: 0CVE-2016-6443
https://notcve.org/view.php?id=CVE-2016-6443
27 Oct 2016 — A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could allow an authenticated, remote attacker to impact system confidentiality by executing a subset of arbitrary SQL queries that can cause product instability. More Information: CSCva27038, CSCva28335. Known Affected Releases: 3.1(0.128), 1.2(400), 2.0(1.0.34A). Una vulnerabilidad en Cisco Prime Infrastructure y en la interfaz de la base de datos SQL de Evolved Programmable Network Manager pod... • http://www.securityfocus.com/bid/93522 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 6%CPEs: 14EXPL: 0CVE-2016-1289
https://notcve.org/view.php?id=CVE-2016-1289
02 Jul 2016 — The API in Cisco Prime Infrastructure 1.2 through 3.0 and Evolved Programmable Network Manager (EPNM) 1.2 allows remote attackers to execute arbitrary code or obtain sensitive management information via a crafted HTTP request, as demonstrated by discovering managed-device credentials, aka Bug ID CSCuy10231. La API en Cisco Prime Infrastructure 1.2 hasta la versión 3.0 y Evolved Programmable Network Manager (EPNM) 1.2 permite a atacantes remotos ejecutar código arbitrario u obtener información de gestión sen... • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160629-piauthbypass • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 0%CPEs: 21EXPL: 0CVE-2016-1408
https://notcve.org/view.php?id=CVE-2016-1408
02 Jul 2016 — Cisco Prime Infrastructure 1.2 through 3.1 and Evolved Programmable Network Manager (EPNM) 1.2 and 2.0 allow remote authenticated users to execute arbitrary commands or upload files via a crafted HTTP request, aka Bug ID CSCuz01488. Cisco Prime Infrastructure 1.2 hasta la versión 3.1 y Evolved Programmable Network Manager (EPNM) 1.2 y 2.0 permite a usuarios remotos autenticado ejecutar comandos arbitrarios o subir archivos a través de una petición HTTP manipulada, también conocida como Bug ID CSCuz01488. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160629-pi-epnm • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 18EXPL: 0CVE-2016-1406
https://notcve.org/view.php?id=CVE-2016-1406
25 May 2016 — The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2.4 allows remote authenticated users to bypass intended RBAC restrictions and obtain sensitive information, and consequently gain privileges, via crafted JSON data, aka Bug ID CSCuy12409. La interfaz web API en Cisco Prime Infrastructure en versiones anteriores a 3.1 y Cisco Evolved Programmable Network Manager en versiones anteriores a 1.2.4 permite a usuarios remotos autenticados eludir ... • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160523-pi-epnm • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 14EXPL: 0CVE-2016-1290
https://notcve.org/view.php?id=CVE-2016-1290
06 Apr 2016 — The web API in Cisco Prime Infrastructure 1.2.0 through 2.2(2) and Cisco Evolved Programmable Network Manager (EPNM) 1.2 allows remote authenticated users to bypass intended RBAC restrictions and gain privileges via an HTTP request that is inconsistent with a pattern filter, aka Bug ID CSCuy10227. La API web en Cisco Prime Infrastructure 1.2.0 hasta la versión 2.2(2) y Cisco Evolved Programmable Network Manager (EPNM) 1.2 permite a usuarios remotos autenticados eludir restricciones RBAC previstas y obtener ... • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160406-privauth • CWE-264: Permissions, Privileges, and Access Controls •