CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-20255
https://notcve.org/view.php?id=CVE-2024-20255
A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload. Una vulnerabilidad en la API SOAP de Cisco Expressway Series y Cisco TelePresence Video Communication Server podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de cross-site request forgery (CSRF) en un sistema afectado. Esta vulnerabilidad se debe a protecciones CSRF insuficientes para la interfaz de administración basada en web de un sistema afectado. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-20254
https://notcve.org/view.php?id=CVE-2024-20254
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. Note: "Cisco Expressway Series" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory. Múltiples vulnerabilidades en Cisco Expressway Series y Cisco TelePresence Video Communication Server (VCS) podrían permitir que un atacante remoto no autenticado realice ataques de cross-site request forgery (CSRF) que realicen acciones arbitrarias en un dispositivo afectado. Nota: "Serie Cisco Expressway" se refiere a los dispositivos Cisco Expressway Control (Expressway-C) y Cisco Expressway Edge (Expressway-E). Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles ["#details"] de este aviso. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-20252
https://notcve.org/view.php?id=CVE-2024-20252
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. Note: "Cisco Expressway Series" refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory. Múltiples vulnerabilidades en Cisco Expressway Series y Cisco TelePresence Video Communication Server (VCS) podrían permitir que un atacante remoto no autenticado realice ataques de cross-site request forgery (CSRF) que realicen acciones arbitrarias en un dispositivo afectado. Nota: "Serie Cisco Expressway" se refiere a los dispositivos Cisco Expressway Control (Expressway-C) y Cisco Expressway Edge (Expressway-E). Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles ["#details"] de este aviso. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 81%CPEs: 444EXPL: 7CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-20813 – Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-20813
Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. Note: Cisco Expressway Series refers to the Expressway Control (Expressway-C) device and the Expressway Edge (Expressway-E) device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la API y en la interfaz de administración basada en web de la serie Expressway de Cisco y del servidor de comunicaciones de vídeo (VCS) de Cisco TelePresence podrían permitir a un atacante remoto sobrescribir archivos arbitrarios o conducir ataques de envenenamiento de bytes nulos en un dispositivo afectado. Nota: La serie Cisco Expressway hace referencia al dispositivo Expressway Control (Expressway-C) y al dispositivo Expressway Edge (Expressway-E). • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-overwrite-3buqW8LH • CWE-158: Improper Neutralization of Null Byte or NUL Character CWE-295: Improper Certificate Validation •