CVE-2017-12337
https://notcve.org/view.php?id=CVE-2017-12337
A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device. The vulnerability occurs when a refresh upgrade (RU) or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action. Note: Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability. • http://www.securityfocus.com/bid/101865 http://www.securitytracker.com/id/1039813 http://www.securitytracker.com/id/1039814 http://www.securitytracker.com/id/1039815 http://www.securitytracker.com/id/1039816 http://www.securitytracker.com/id/1039817 http://www.securitytracker.com/id/1039818 http://www.securitytracker.com/id/1039819 http://www.securitytracker.com/id/1039820 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-vos • CWE-287: Improper Authentication •
CVE-2017-12276
https://notcve.org/view.php?id=CVE-2017-12276
A vulnerability in the web framework code for the SQL database interface of the Cisco Prime Collaboration Provisioning application could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. The attacker could read or write information from the SQL database. The vulnerability is due to a lack of proper validation on user-supplied input within SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected application. An exploit could allow the attacker to determine the presence of certain values and write malicious input in the SQL database. • http://www.securityfocus.com/bid/101640 http://www.securitytracker.com/id/1039711 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-6793
https://notcve.org/view.php?id=CVE-2017-6793
A vulnerability in the Inventory Management feature of Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to view sensitive information on the system. The vulnerability is due to insufficient protection of restricted information. An attacker could exploit this vulnerability by accessing unauthorized information via the user interface. Cisco Bug IDs: CSCvd61932. Una vulnerabilidad en la característica de gestión de inventario en Cisco Prime Collaboration Provisioning Tool podría permitir que un atacante remoto autenticado vea información sensible en el sistema. • http://www.securitytracker.com/id/1039280 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-pcpt1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-6792
https://notcve.org/view.php?id=CVE-2017-6792
A vulnerability in the batch provisioning feature in Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to overwrite system files as root. The vulnerability is due to lack of input validation of the parameters in BatchFileName and Directory. An attacker could exploit this vulnerability by manipulating the parameters of the batch action file function. Cisco Bug IDs: CSCvd61766. Una vulnerabilidad en la característica de aprovisionamiento de lotes en Cisco Prime Collaboration Provisioning Tool podría permitir que un atacante remoto autenticado sobrescriba archivos del sistema como root. • http://www.securityfocus.com/bid/100666 http://www.securitytracker.com/id/1039279 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-pcpt • CWE-20: Improper Input Validation •
CVE-2017-6759
https://notcve.org/view.php?id=CVE-2017-6759
A vulnerability in the UpgradeManager of the Cisco Prime Collaboration Provisioning Tool 12.1 could allow an authenticated, remote attacker to write arbitrary files as root on the system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by triggering the upgrade package installation functionality. Cisco Bug IDs: CSCvc90304. Una vulnerabilidad en UpgradeManager del Cisco Prime Collaboration Provisioning Tool 12.1 podría permitir que un atacante remoto autenticado escriba archivos arbitrarios como root en el sistema. • http://www.securitytracker.com/id/1039062 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc90304 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-pcpt • CWE-20: Improper Input Validation •