CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-20263
https://notcve.org/view.php?id=CVE-2023-20263
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website. Una vulnerabilidad en la interfaz de gestión basada en web de la plataforma de datos Cisco HyperFlex HX podría permitir a un atacante remoto no autenticado redirigir a un usuario a una página web maliciosa. Esta vulnerabilidad se debe a una validación de entrada incorrecta de los parámetros en una solicitud HTTP. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-redirect-UxLgqdUF • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 96%CPEs: 9EXPL: 1CVE-2021-1499 – Cisco HyperFlex HX Data Platform File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-1499
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Una vulnerabilidad en la interfaz de administración basada en web de Cisco HyperFlex HX Data Platform, podría permitir a un atacante remoto no autenticado cargar archivos en un dispositivo afectado. • http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz https://attackerkb.com/assessments/82738621-1114-4aba-990a-9ea007b05834 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 97%CPEs: 9EXPL: 1CVE-2021-1498 – Cisco HyperFlex HX Data Platform Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1498
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco HyperFlex HX, podrían permitir a un atacante remoto no autenticado llevar a cabo ataques de inyección de comandos contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. • http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c https://twitter.com/ptswarm/status/1390300625129201664 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 97%CPEs: 8EXPL: 1CVE-2021-1497 – Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1497
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco HyperFlex HX, podrían permitir a un atacante remoto no autenticado llevar a cabo ataques de inyección de comandos contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user. • http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c https://twitter.com/ptswarm/status/1390300625129201664 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1958 – Cisco HyperFlex Software Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2019-1958
A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. Una vulnerabilidad en la interfaz de administración basada en web de HyperFlex Software de Cisco, podría permitir a un atacante remoto no autenticado conducir un ataque de tipo cross-site request forgery (CSRF) en un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-hypflex-csrf • CWE-352: Cross-Site Request Forgery (CSRF) •