CVE-2017-12276
https://notcve.org/view.php?id=CVE-2017-12276
A vulnerability in the web framework code for the SQL database interface of the Cisco Prime Collaboration Provisioning application could allow an authenticated, remote attacker to impact the confidentiality and integrity of the application by executing arbitrary SQL queries, aka SQL Injection. The attacker could read or write information from the SQL database. The vulnerability is due to a lack of proper validation on user-supplied input within SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected application. An exploit could allow the attacker to determine the presence of certain values and write malicious input in the SQL database. • http://www.securityfocus.com/bid/101640 http://www.securitytracker.com/id/1039711 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-cpcp • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-6793
https://notcve.org/view.php?id=CVE-2017-6793
A vulnerability in the Inventory Management feature of Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to view sensitive information on the system. The vulnerability is due to insufficient protection of restricted information. An attacker could exploit this vulnerability by accessing unauthorized information via the user interface. Cisco Bug IDs: CSCvd61932. Una vulnerabilidad en la característica de gestión de inventario en Cisco Prime Collaboration Provisioning Tool podría permitir que un atacante remoto autenticado vea información sensible en el sistema. • http://www.securitytracker.com/id/1039280 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-pcpt1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-6792
https://notcve.org/view.php?id=CVE-2017-6792
A vulnerability in the batch provisioning feature in Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to overwrite system files as root. The vulnerability is due to lack of input validation of the parameters in BatchFileName and Directory. An attacker could exploit this vulnerability by manipulating the parameters of the batch action file function. Cisco Bug IDs: CSCvd61766. Una vulnerabilidad en la característica de aprovisionamiento de lotes en Cisco Prime Collaboration Provisioning Tool podría permitir que un atacante remoto autenticado sobrescriba archivos del sistema como root. • http://www.securityfocus.com/bid/100666 http://www.securitytracker.com/id/1039279 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-pcpt • CWE-20: Improper Input Validation •
CVE-2017-6759
https://notcve.org/view.php?id=CVE-2017-6759
A vulnerability in the UpgradeManager of the Cisco Prime Collaboration Provisioning Tool 12.1 could allow an authenticated, remote attacker to write arbitrary files as root on the system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by triggering the upgrade package installation functionality. Cisco Bug IDs: CSCvc90304. Una vulnerabilidad en UpgradeManager del Cisco Prime Collaboration Provisioning Tool 12.1 podría permitir que un atacante remoto autenticado escriba archivos arbitrarios como root en el sistema. • http://www.securitytracker.com/id/1039062 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc90304 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-pcpt • CWE-20: Improper Input Validation •
CVE-2017-6756
https://notcve.org/view.php?id=CVE-2017-6756
A vulnerability in the Web UI Application of the Cisco Prime Collaboration Provisioning Tool through 12.2 could allow an unauthenticated, remote attacker to execute unwanted actions. The vulnerability is due to a lack of defense against cross-site request forgery (CSRF) attacks. An attacker could exploit this vulnerability by forcing the user's browser to perform any action authorized for that user. Cisco Bug IDs: CSCvc90280. Una vulnerabilidad en la aplicación de interfaz de usuario web de Cisco Prime Collaboration Provisioning Tool en su versión 12.2 podría permitir que un atacante remoto sin autenticar ejecute acciones no deseadas. • http://www.securityfocus.com/bid/100112 http://www.securitytracker.com/id/1039061 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170802-pcpt1 • CWE-352: Cross-Site Request Forgery (CSRF) •