CVSS: 5.8EPSS: 0%CPEs: 302EXPL: 0CVE-2021-1377 – Cisco IOS and IOS XE Software ARP Resource Management Exhaustion Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2021-1377
24 Mar 2021 — A vulnerability in Address Resolution Protocol (ARP) management of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent an affected device from resolving ARP entries for legitimate hosts on the connected subnets. This vulnerability exists because ARP entries are mismanaged. An attacker could exploit this vulnerability by continuously sending traffic that results in incomplete ARP entries. A successful exploit could allow the attacker to cause ARP requests o... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-arp-mtfhBfjE • CWE-399: Resource Management Errors •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 1CVE-2021-1382 – Cisco IOS XE SD-WAN Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1382
24 Mar 2021 — A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root privileges on the underlying operating system. This vulnerability is due to insufficient input validation on certain CLI commands. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successf... • https://github.com/orangecertcc/security-research/security/advisories/GHSA-7xfm-92p7-qc57 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 63EXPL: 1CVE-2021-1383 – Cisco IOS XE SD-WAN Software Parameter Injection Vulnerabilities
https://notcve.org/view.php?id=CVE-2021-1383
24 Mar 2021 — Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system with root privileges. These vulnerabilities are due to insufficient input validation of certain CLI commands. An attacker could exploit these vulnerabilities by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allo... • https://github.com/orangecertcc/security-research/security/advisories/GHSA-vw54-f9mw-g46r • CWE-20: Improper Input Validation CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 8.5EPSS: 26%CPEs: 5EXPL: 1CVE-2021-1384 – Cisco IOx for IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1384
24 Mar 2021 — A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands into the underlying operating system as the root user. This vulnerability is due to incomplete validation of fields in the application packages loaded onto IOx. An attacker could exploit this vulnerability by creating a crafted application .tar file and loading it onto the device. A successful exploit could allow the attacker to perform command injection into... • https://github.com/orangecertcc/security-research/security/advisories/GHSA-h332-fj6p-2232 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 74EXPL: 0CVE-2021-1390 – Cisco IOS XE Software Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-1390
24 Mar 2021 — A vulnerability in one of the diagnostic test CLI commands of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker would need to have valid user credentials at privilege level 15. This vulnerability exists because the affected software permits modification of the run-time memory of an affected device under specific circumstances. An attacker could exploit this vulnerability by authenticating to the aff... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-XE-OFP-6Nezgn7b • CWE-123: Write-what-where Condition •
CVSS: 7.2EPSS: 0%CPEs: 134EXPL: 0CVE-2021-1391 – Cisco IOS and IOS XE Software Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-1391
24 Mar 2021 — A vulnerability in the dragonite debugger of Cisco IOS XE Software could allow an authenticated, local attacker to escalate from privilege level 15 to root privilege. The vulnerability is due to the presence of development testing and verification scripts that remained on the device. An attacker could exploit this vulnerability by bypassing the consent token mechanism with the residual scripts on the affected device. A successful exploit could allow the attacker to escalate from privilege level 15 to root p... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-XE-FSM-Yj8qJbJc • CWE-489: Active Debug Code •
CVSS: 7.8EPSS: 0%CPEs: 214EXPL: 0CVE-2021-1392 – Cisco IOS and IOS XE Software Common Industrial Protocol Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-1392
24 Mar 2021 — A vulnerability in the CLI command permissions of Cisco IOS and Cisco IOS XE Software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP) and then remotely configure the device as an administrative user. This vulnerability exists because incorrect permissions are associated with the show cip security CLI command. An attacker could exploit this vulnerability by issuing the command to retrieve the password for CIP on an affected device. A successful explo... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-XE-SAP-OPLbze68 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2021-1394 – Cisco IOS XE Software for Network Convergence System 520 Routers Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2021-1394
24 Mar 2021 — A vulnerability in the ingress traffic manager of Cisco IOS XE Software for Cisco Network Convergence System (NCS) 520 Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the web management interface of an affected device. This vulnerability is due to incorrect processing of certain IPv4 TCP traffic that is destined to an affected device. An attacker could exploit this vulnerability by sending a large number of crafted TCP packets to the affected device. A... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncs520-tcp-ZpzzOxB • CWE-399: Resource Management Errors •
CVSS: 6.9EPSS: 0%CPEs: 257EXPL: 0CVE-2021-1398 – Cisco IOS XE Software Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-1398
24 Mar 2021 — A vulnerability in the boot logic of Cisco IOS XE Software could allow an authenticated, local attacker with level 15 privileges or an unauthenticated attacker with physical access to execute arbitrary code on the underlying Linux operating system of an affected device. This vulnerability is due to incorrect validations of specific function arguments that are passed to the boot script. An attacker could exploit this vulnerability by tampering with a specific file, which an affected device would process duri... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-XE-ACE-75K3bRWe • CWE-489: Active Debug Code •
CVSS: 7.4EPSS: 0%CPEs: 123EXPL: 0CVE-2021-1403 – Cisco IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
https://notcve.org/view.php?id=CVE-2021-1403
24 Mar 2021 — A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient HTTP protections in the web UI on an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the web UI to follow a crafted link. A successful exploit could allow the attacker to corrupt... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-cswsh-FKk9AzT5 • CWE-345: Insufficient Verification of Data Authenticity CWE-1021: Improper Restriction of Rendered UI Layers or Frames •