CVSS: 9.0EPSS: 0%CPEs: 47EXPL: 0CVE-2023-20076 – Cisco IOx Application Hosting Environment Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-20076
12 Feb 2023 — A vulnerability in the Cisco IOx application hosting environment could allow an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system. This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit coul... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-233: Improper Handling of Parameters •
CVSS: 5.5EPSS: 0%CPEs: 278EXPL: 0CVE-2022-20725 – Cisco IOx Application Hosting Environment Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-20725
15 Apr 2022 — Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabil... • https://github.com/orangecertcc/security-research/security/advisories/GHSA-q2v9-qpmg-4qc4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-3426 – Cisco IOS Software for Cisco Industrial Routers Virtual-LPWA Unauthorized Access Vulnerability
https://notcve.org/view.php?id=CVE-2020-3426
24 Sep 2020 — A vulnerability in the implementation of the Low Power, Wide Area (LPWA) subsystem of Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data or cause a denial of service (DoS) condition. The vulnerability is due to a lack of input and validation checking mechanisms for virtual-LPWA (VLPWA) protocol modem messages. ... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-lpwa-access-cXsD7PRA • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •