Page 6 of 30 results (0.004 seconds)

CVSS: 9.0EPSS: 1%CPEs: 3EXPL: 0

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system. Una vulnerabilidad en web-based management interface en Prime Infrastructure (PI) y Evolved Programmable Network (EPN) Manager de Cisco podría permitir que un atacante remoto autenticado ejecute código con privilegios de nivel raíz en el sistema operativo subyacente. • http://www.securityfocus.com/bid/108339 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce • CWE-20: Improper Input Validation •

CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries. This vulnerability exist because the software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains malicious SQL statements to the affected application. A successful exploit could allow the attacker to view or modify entries in some database tables, affecting the integrity of the data. Una vulnerabilidad en la web-based management interface de Prime Infrastructure (PI) y Evolved Programmable Network (EPN) Manager de Cisco podría permitir que un atacante remoto autenticado ejecutara consultas SQL arbitrarias. • http://www.securityfocus.com/bid/108337 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-sqlinject • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries. This vulnerability exist because the software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains malicious SQL statements to the affected application. A successful exploit could allow the attacker to view or modify entries in some database tables, affecting the integrity of the data. Una vulnerabilidad en la web-based management interface de Prime Infrastructure (PI) y Evolved Programmable Network (EPN) Manager de Cisco podría permitir que un atacante remoto autenticado ejecutara consultas SQL arbitrarias. • http://www.securityfocus.com/bid/108337 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-sqlinject • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI. The vulnerability is due to improper validation of the server SSL certificate when establishing the SSL tunnel with ISE. An attacker could exploit this vulnerability by using a crafted SSL certificate and could then intercept communications between the ISE and PI. A successful exploit could allow the attacker to view and alter potentially sensitive information that the ISE maintains about clients that are connected to the network. This vulnerability affects Cisco Prime Infrastructure Software Releases 2.2 through 3.4.0 when the PI server is integrated with ISE, which is disabled by default. • http://www.securityfocus.com/bid/107092 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-prime-validation • CWE-295: Improper Certificate Validation •

CVSS: 9.8EPSS: 96%CPEs: 10EXPL: 1

A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. • https://www.exploit-db.com/exploits/45555 http://www.securityfocus.com/bid/105506 http://www.securitytracker.com/id/1041816 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp • CWE-275: Permission Issues CWE-732: Incorrect Permission Assignment for Critical Resource •