CVSS: 5.3EPSS: 96%CPEs: 9EXPL: 1CVE-2021-1499 – Cisco HyperFlex HX Data Platform File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-1499
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Una vulnerabilidad en la interfaz de administración basada en web de Cisco HyperFlex HX Data Platform, podría permitir a un atacante remoto no autenticado cargar archivos en un dispositivo afectado. • http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz https://attackerkb.com/assessments/82738621-1114-4aba-990a-9ea007b05834 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 97%CPEs: 9EXPL: 1CVE-2021-1498 – Cisco HyperFlex HX Data Platform Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1498
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco HyperFlex HX, podrían permitir a un atacante remoto no autenticado llevar a cabo ataques de inyección de comandos contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. • http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c https://twitter.com/ptswarm/status/1390300625129201664 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •