CVE-2021-34736 – Cisco Integrated Management Controller GUI Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2021-34736
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an unauthenticated, remote attacker to cause the web-based management interface to unexpectedly restart. The vulnerability is due to insufficient input validation on the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to cause the interface to restart, resulting in a denial of service (DoS) condition. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Integrated Management Controller (IMC) Software podría permitir a un atacante remoto no autenticado causar el reinicio inesperado de la interfaz de administración basada en web. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-imc-gui-dos-TZjrFyZh • CWE-20: Improper Input Validation •
CVE-2021-1397 – Cisco Integrated Management Controller Open Redirect Vulnerability
https://notcve.org/view.php?id=CVE-2021-1397
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website. This vulnerability is known as an open redirect attack, which is used in phishing attacks to get users to visit malicious sites without their knowledge. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-imc-openred-zAYrU6d2 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2020-3470 – Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities
https://notcve.org/view.php?id=CVE-2020-3470
Multiple vulnerabilities in the API subsystem of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges. The vulnerabilities are due to improper boundary checks for certain user-supplied input. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the API subsystem of an affected system. When this request is processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying operating system (OS). • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2019-1880 – Cisco Unified Computing System BIOS Signature Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2019-1880
A vulnerability in the BIOS upgrade utility of Cisco Unified Computing System (UCS) C-Series Rack Servers could allow an authenticated, local attacker to install compromised BIOS firmware on an affected device. The vulnerability is due to insufficient validation of the firmware image file. An attacker could exploit this vulnerability by executing the BIOS upgrade utility with a specific set of options. A successful exploit could allow the attacker to bypass the firmware signature-verification process and install compromised BIOS firmware on an affected device. Una vulnerabilidad en la utilidad de actualización del BIOS de rack servidores Unified Computing System (UCS) C-Series de Cisco, podría permitir a un atacante local autorizado instalar el firmware del BIOS comprometido en un dispositivo afectado. • http://www.securityfocus.com/bid/108680 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ucs-biossig-bypass • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2019-1857 – Cisco HyperFlex HX-Series Web-Based Management Interface Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2019-1857
A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system by using a web browser and with the privileges of the user. Una vulnerabilidad en la interfaz de administración basada en la web de HyperFlex HX-Series de Cisco, podría permitir a un atacante remoto no identificado dirija un ataque de tipo cross-site request forgery (CSRF) y ejecute acciones arbitrarias en un sistema afectado. • http://www.securityfocus.com/bid/108163 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-hyperflex-csrf • CWE-352: Cross-Site Request Forgery (CSRF) •