CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 0CVE-2023-20274
https://notcve.org/view.php?id=CVE-2023-20274
A vulnerability in the installer script of Cisco AppDynamics PHP Agent could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient permissions that are set by the PHP Agent Installer on the PHP Agent install directory. An attacker could exploit this vulnerability by modifying objects in the PHP Agent install directory, which would run with the same privileges as PHP. A successful exploit could allow a lower-privileged attacker to elevate their privileges to root on an affected device. Una vulnerabilidad en el script de instalación de Cisco AppDynamics PHP Agent podría permitir que un atacante local autenticado eleve los privilegios en un dispositivo afectado. Esta vulnerabilidad se debe a permisos insuficientes establecidos por el instalador del Agente PHP en el directorio de instalación del Agente PHP. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appd-php-authpriv-gEBwTvu5 • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0CVE-2023-20272
https://notcve.org/view.php?id=CVE-2023-20272
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to upload malicious files to the web root of the application. This vulnerability is due to insufficient file input validation. An attacker could exploit this vulnerability by uploading a malicious file to the web interface. A successful exploit could allow the attacker to replace files and gain access to sensitive server-side information. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Identity Services Engine podría permitir que un atacante remoto autenticado cargue archivos maliciosos en la raíz web de la aplicación. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-mult-j-KxpNynR • CWE-424: Improper Protection of Alternate Path •
CVSS: 4.8EPSS: 0%CPEs: 15EXPL: 0CVE-2023-20208
https://notcve.org/view.php?id=CVE-2023-20208
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the web-based management interface of an affected device. Una vulnerabilidad en la interfaz de administración basada en web de Cisco ISE podría permitir que un atacante remoto autenticado lleve a cabo un ataque XSS contra un usuario de la interfaz de administración basada en web de un dispositivo afectado. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-mult-j-KxpNynR • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-20265
https://notcve.org/view.php?id=CVE-2023-20265
A vulnerability in the web-based management interface of a small subset of Cisco IP Phones could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uipphone-xss-NcmUykqA • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 8EXPL: 0CVE-2023-20083
https://notcve.org/view.php?id=CVE-2023-20083
A vulnerability in ICMPv6 inspection when configured with the Snort 2 detection engine for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the CPU of an affected device to spike to 100 percent, which could stop all traffic processing and result in a denial of service (DoS) condition. FTD management traffic is not affected by this vulnerability. This vulnerability is due to improper error checking when parsing fields within the ICMPv6 header. An attacker could exploit this vulnerability by sending a crafted ICMPv6 packet through an affected device. A successful exploit could allow the attacker to cause the device to exhaust CPU resources and stop processing traffic, resulting in a DoS condition. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-icmpv6-dos-4eMkLuN • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •