CVSS: 9.0EPSS: 1%CPEs: 16EXPL: 0CVE-2019-1754 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1754
28 Mar 2019 — A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to improper validation of user privileges of web UI users. An attacker could exploit this vulnerability by submitting a malicious payload to a specific endpoint in the web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher pri... • http://www.securityfocus.com/bid/107590 • CWE-20: Improper Input Validation CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 38EXPL: 0CVE-2019-1755 – Cisco IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1755
28 Mar 2019 — A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted HTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands on the affected dev... • http://www.securityfocus.com/bid/107380 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 16EXPL: 0CVE-2019-1756 – Cisco IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1756
28 Mar 2019 — A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web U... • http://www.securityfocus.com/bid/107598 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 1%CPEs: 15EXPL: 0CVE-2019-1753 – Cisco IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1753
28 Mar 2019 — A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to a failure to validate and sanitize input in Web Services Management Agent (WSMA) functions. An attacker could exploit this vulnerability by submitting a malicious payload to the affected device's web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands w... • http://www.securityfocus.com/bid/107602 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 48EXPL: 0CVE-2019-1749 – Cisco Aggregation Services Router 900 Route Switch Processor 3 OSPFv2 Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1749
27 Mar 2019 — A vulnerability in the ingress traffic validation of Cisco IOS XE Software for Cisco Aggregation Services Router (ASR) 900 Route Switch Processor 3 (RSP3) could allow an unauthenticated, adjacent attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability exists because the software insufficiently validates ingress traffic on the ASIC used on the RSP3 platform. An attacker could exploit this vulnerability by sending a malformed OSPF version 2 (OSPF... • http://www.securityfocus.com/bid/107615 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 155EXPL: 0CVE-2019-1745 – Cisco IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1745
27 Mar 2019 — A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with elevated privileges. The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. An exploit could allow the attacker to gain root privileges on the affected device. Una vulnerabilidad en el software Cisco IOS XE ... • http://www.securityfocus.com/bid/107588 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 31EXPL: 0CVE-2019-1743 – Cisco IOS XE Software Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2019-1743
27 Mar 2019 — A vulnerability in the web UI framework of Cisco IOS XE Software could allow an authenticated, remote attacker to make unauthorized changes to the filesystem of the affected device. The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by crafting a malicious file and uploading it to the device. An exploit could allow the attacker to gain elevated privileges on the affected device. Una vulnerabilidad en el framework de la interfaz web del software Cisco IOS XE p... • http://www.securityfocus.com/bid/107591 • CWE-20: Improper Input Validation •
CVSS: 8.6EPSS: 1%CPEs: 14EXPL: 0CVE-2019-1741 – Cisco IOS XE Software Encrypted Traffic Analytics Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1741
27 Mar 2019 — A vulnerability in the Cisco Encrypted Traffic Analytics (ETA) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a logic error that exists when handling a malformed incoming packet, leading to access to an internal data structure after it has been freed. An attacker could exploit this vulnerability by sending crafted, malformed IP packets to an affected device. A successful exploit could allow the attack... • http://www.securityfocus.com/bid/107614 • CWE-20: Improper Input Validation CWE-416: Use After Free •
CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2018-15377 – Cisco IOS and IOS XE Software Plug and Play Agent Memory Leak Vulnerability
https://notcve.org/view.php?id=CVE-2018-15377
05 Oct 2018 — A vulnerability in the Cisco Network Plug and Play agent, also referred to as the Cisco Open Plug-n-Play agent, of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device. The vulnerability is due to insufficient input validation by the affected software. An attacker could exploit this vulnerability by sending invalid data to the Cisco Network Plug and Play agent on an affected device. A successful exploit could allow the atta... • https://ics-cert.us-cert.gov/advisories/ICSA-19-094-02 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 8.6EPSS: 9%CPEs: 24EXPL: 0CVE-2018-0173 – Cisco IOS and IOS XE Software Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2018-0173
28 Mar 2018 — A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a Relay Reply denial of service (DoS) condition. The vulnerability exists because the affected software performs incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. An attacker ... • http://www.securityfocus.com/bid/103545 • CWE-20: Improper Input Validation •