CVSS: 7.5EPSS: 81%CPEs: 444EXPL: 7CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-1522 – Cisco Connected Mobile Experiences Strong Authentication Requirements Enforcement Bypass
https://notcve.org/view.php?id=CVE-2021-1522
A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with the strong authentication requirements that are configured on an affected device. This vulnerability exists because a password policy check is incomplete at the time a password is changed at server side using the API. An attacker could exploit this vulnerability by sending a specially crafted API request to the affected device. A successful exploit could allow the attacker to change their own password to a value that does not comply with the configured strong authentication requirements. Una vulnerabilidad en la API de cambio de contraseña de Cisco Connected Mobile Experiences (CMX), podría permitir a un atacante remoto autenticado alterar su propia contraseña a un valor que no cumpla con los requisitos de autenticación fuerte que están configurados en un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmx-GkCvfd4 • CWE-255: Credentials Management Errors CWE-521: Weak Password Requirements •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-1144 – Cisco Connected Mobile Experiences Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-1144
A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system. The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user. Una vulnerabilidad en Cisco Connected Mobile Experiences (CMX), podría permitir a un atacante autenticado remoto sin privilegios administrativos alterar la contraseña de cualquier usuario en un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-1143 – Cisco Connected Mobile Experiences User Enumeration Vulnerability
https://notcve.org/view.php?id=CVE-2021-1143
A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this vulnerability by sending specific API GET requests to an affected device. A successful exploit could allow the attacker to enumerate users of the CMX system. Una vulnerabilidad en autorizaciones de Cisco Connected Mobile Experiences (CMX) API, podría permitir a un atacante autenticado remoto enumerar qué usuarios existen en el sistema. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxapi-KsKwCmfp • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2020-3151 – Cisco Connected Mobile Experiences Restricted Shell Escape Vulnerability
https://notcve.org/view.php?id=CVE-2020-3151
A vulnerability in the CLI of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to bypass restrictions on the CLI. The vulnerability is due to insufficient security mechanisms in the restricted shell implementation. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to escape the restricted shell and execute a set of normally unauthorized commands with the privileges of a non-root user. To exploit this vulnerability, an attacker would need to have valid administrative credentials. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmx-rshell-esc-L6hBwjbg • CWE-287: Improper Authentication •