CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2021-1306 – Cisco ADE-OS Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2021-1306
A vulnerability in the restricted shell of Cisco Evolved Programmable Network (EPN) Manager, Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to identify directories and write arbitrary files to the file system. This vulnerability is due to improper validation of parameters that are sent to a CLI command within the restricted shell. An attacker could exploit this vulnerability by logging in to the device and issuing certain CLI commands. A successful exploit could allow the attacker to identify file directories on the affected device and write arbitrary files to the file system on the affected device. To exploit this vulnerability, the attacker must be an authenticated shell user. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ade-xcvAQEOZ • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-3339 – Cisco Prime Infrastructure SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3339
A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Prime Infrastructure, podría permitir a un atacante remoto autenticado llevar a cabo ataques de inyección SQL sobre un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-sql-inj-KGLLsFw8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2019-15958 – Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-15958
A vulnerability in the REST API of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM) could allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the underlying operating system. The vulnerability is due to insufficient input validation during the initial High Availability (HA) configuration and registration process of an affected device. An attacker could exploit this vulnerability by uploading a malicious file during the HA registration period. A successful exploit could allow the attacker to execute arbitrary code with root-level privileges on the underlying operating system. Note: This vulnerability can only be exploited during the HA registration period. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-pi-epn-codex • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1906 – Cisco Prime Infrastructure Virtual Domain Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1906
A vulnerability in the Virtual Domain system of Cisco Prime Infrastructure (PI) could allow an authenticated, remote attacker to change the virtual domain configuration, which could lead to privilege escalation. The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by manipulating requests sent to an affected PI server. A successful exploit could allow the attacker to change the virtual domain configuration and possibly elevate privileges. Una vulnerabilidad en el sistema Virtual Domain de Prime Infrastructure (PI) de Cisco, podría permitir a un atacante remoto autenticado cambiar la configuración de virtual domain, lo que podría conllevar a una escalada de privilegios. • http://www.securityfocus.com/bid/108855 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-prime-privescal • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •