CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-1825 – Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2019-1825
16 May 2019 — A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries. This vulnerability exist because the software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains malicious SQL statements to the affected application. A successful exploit could allow the att... • http://www.securityfocus.com/bid/108337 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1659 – Cisco Prime Infrastructure Certificate Validation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1659
21 Feb 2019 — A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI. The vulnerability is due to improper validation of the server SSL certificate when establishing the SSL tunnel with ISE. An attacker could exploit this vulnerability by using a crafted SSL certificate and could then intercept communication... • http://www.securityfocus.com/bid/107092 • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 89%CPEs: 10EXPL: 3CVE-2018-15379 – Cisco Prime Infrastructure Arbitrary File Upload and Command Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-15379
05 Oct 2018 — A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malic... • https://packetstorm.news/files/id/150287 • CWE-275: Permission Issues CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 34%CPEs: 3EXPL: 0CVE-2018-0258
https://notcve.org/view.php?id=CVE-2018-0258
02 May 2018 — A vulnerability in the Cisco Prime File Upload servlet affecting multiple Cisco products could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device (aka Path Traversal) and execute those files. This vulnerability affects the following products: Cisco Prime Data Center Network Manager (DCNM) Version 10.0 and later, and Cisco Prime Infrastructure (PI) All versions. Cisco Bug IDs: CSCvf32411, CSCvf81727. Una vulnerabilidad en el servlet Cisco Prime File Upload que afecta a ... • http://www.securityfocus.com/bid/104074 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0096
https://notcve.org/view.php?id=CVE-2018-0096
18 Jan 2018 — A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to perform a privilege escalation in which one virtual domain user can view and modify another virtual domain configuration. The vulnerability is due to a failure to properly enforce RBAC for virtual domains. An attacker could exploit this vulnerability by sending an authenticated, crafted HTTP request to a targeted application. An exploit could allow the attacker... • http://www.securityfocus.com/bid/102727 • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •