CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-3401 – Cisco SD-WAN vManage Software Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2020-3401
16 Jul 2020 — A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to the affected system. A successful exploit could allow the attacker to view... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmandowndir-CVGvdKM3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-3388 – Cisco SD-WAN vManage Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3388
16 Jul 2020 — A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated to access the CLI. A successful exploit could allow the attacker to execute commands with root privileges. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clibypvman-sKcLf2L • CWE-287: Improper Authentication •
CVSS: 9.0EPSS: 48%CPEs: 7EXPL: 2CVE-2020-3387 – Cisco SD-WAN vManage Software Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-3387
16 Jul 2020 — A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to execute code with root privileges on an affected system. The vulnerability is due to insufficient input sanitization during user authentication processing. An attacker could exploit this vulnerability by sending a crafted response to the Cisco SD-WAN vManage Software. A successful exploit could allow the attacker to access the software and execute commands they should not be authorized to execute. Una vulnerabi... • https://packetstorm.news/files/id/162958 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-3381 – Cisco SD-WAN vManage Software Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2020-3381
16 Jul 2020 — A vulnerability in the web management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct directory traversal attacks and obtain read and write access to sensitive files on a targeted system. The vulnerability is due to a lack of proper validation of files that are uploaded to an affected device. An attacker could exploit this vulnerability by uploading a crafted file to an affected system. An exploit could allow the attacker to view or modify arbitrary files ... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmdirtrav-eFdAxsJg • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2020-3378 – Cisco SD-WAN vManage Software SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-3378
16 Jul 2020 — A vulnerability in the web-based management interface for Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sivm-M8wugR9O • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2020-3372 – Cisco SD-WAN vManage Software Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2020-3372
16 Jul 2020 — A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to consume excessive system memory and cause a denial of service (DoS) condition on an affected system. The vulnerability is due to inefficient memory management. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to the affected web-based management interface. A successful exploit could allow the attacker to exhaust system memory, ... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-emvman-3y6LuTcZ • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.4EPSS: 0%CPEs: 15EXPL: 0CVE-2020-3180 – Cisco SD-WAN Solution Software Static Credentials Vulnerability
https://notcve.org/view.php?id=CVE-2020-3180
16 Jul 2020 — A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, local attacker to access an affected device by using an account that has a default, static password. This account has root privileges. The vulnerability exists because the affected software has a user account with a default, static password. An attacker could exploit this vulnerability by remotely connecting to an affected system by using this account. A successful exploit could allow the attacker to log in by using this accou... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdscred-HfWWfqBj • CWE-264: Permissions, Privileges, and Access Controls CWE-522: Insufficiently Protected Credentials •
CVSS: 7.2EPSS: 0%CPEs: 118EXPL: 0CVE-2020-3214 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-3214
03 Jun 2020 — A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to escalate their privileges to a user with root-level privileges. The vulnerability is due to insufficient validation of user-supplied content. This vulnerability could allow an attacker to load malicious software onto an affected device. Una vulnerabilidad en Cisco IOS XE Software, podría permitir a un atacante local autenticado escalar sus privilegios hacia un usuario con privilegios de nivel root. La vulnerabilidad es ... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-priv-esc2-A6jVRu7C • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 0%CPEs: 23EXPL: 0CVE-2020-3315 – Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-3315
06 May 2020 — Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass the configured file policies on an affected system. The vulnerability is due to errors in how the Snort detection engine handles specific HTTP responses. An attacker could exploit this vulnerability by sending crafted HTTP packets that would flow through an affected system. A successful exploit could allow the attacker to bypass the configured file policies and... • https://lists.debian.org/debian-lts-announce/2023/02/msg00011.html • CWE-668: Exposure of Resource to Wrong Sphere CWE-693: Protection Mechanism Failure •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2019-16011 – Cisco IOS XE SD-WAN Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-16011
29 Apr 2020 — A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwcinj-AcQ5MxCn • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •