CVE-2019-1907 – Cisco Integrated Management Controller Substring Comparison Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1907
A vulnerability in the web server of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to set sensitive configuration values and gain elevated privileges. The vulnerability is due to improper handling of substring comparison operations that are performed by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker with read-only privileges to gain administrator privileges. Una vulnerabilidad en el servidor web de Cisco Integrated Management Controller (IMC) podría permitir que un atacante remoto autenticado establezca valores de configuración confidenciales y obtenga privilegios elevados. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privescal • CWE-285: Improper Authorization •
CVE-2019-1908 – Cisco Integrated Management Controller Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-1908
A vulnerability in the Intelligent Platform Management Interface (IPMI) implementation of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to view sensitive system information. The vulnerability is due to insufficient security restrictions imposed by the affected software. A successful exploit could allow the attacker to view sensitive information that belongs to other users. The attacker could then use this information to conduct additional attacks. Una vulnerabilidad en la implementación de la Interfaz de administración de plataforma inteligente (IPMI) de Cisco Integrated Management Controller (IMC) podría permitir que un atacante remoto no autenticado vea información confidencial del sistema. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-infodisc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-1883 – Cisco Integrated Management Controller CLI Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1883
A vulnerability in the command-line interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow them to obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input on the command-line interface. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow an attacker to execute arbitrary commands on the device with root privileges. Una vulnerabilidad en la interfaz de línea de comandos de Cisco Integrated Management Controller (IMC) podría permitir que un atacante local autenticado con credenciales de solo lectura inyecte comandos arbitrarios que podrían permitirles obtener privilegios de root. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-cimc-cli-inject • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-1885 – Cisco Integrated Management Controller Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1885
A vulnerability in the Redfish protocol of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending crafted authenticated commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary commands on an affected device with root privileges. Una vulnerabilidad en el protocolo Redfish de Cisco Integrated Management Controller (IMC) podría permitir que un atacante remoto autenticado inyecte y ejecute comandos arbitrarios con privilegios de root en un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-cimc • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-1896 – Cisco Integrated Management Controller CSR Generation Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1896
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands and obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input in the Certificate Signing Request (CSR) function of the web-based management interface. An attacker could exploit this vulnerability by submitting a crafted CSR in the web-based management interface. A successful exploit could allow an attacker with administrator privileges to execute arbitrary commands on the device with full root privileges. Una vulnerabilidad en la interfaz de administración basada en la web de Cisco Integrated Management Controller (IMC) podría permitir que un atacante remoto autenticado inyecte comandos arbitrarios y obtenga privilegios de root. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinject-1896 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •