CVSS: 5.3EPSS: 96%CPEs: 9EXPL: 1CVE-2021-1499 – Cisco HyperFlex HX Data Platform File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-1499
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Una vulnerabilidad en la interfaz de administración basada en web de Cisco HyperFlex HX Data Platform, podría permitir a un atacante remoto no autenticado cargar archivos en un dispositivo afectado. • http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz https://attackerkb.com/assessments/82738621-1114-4aba-990a-9ea007b05834 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 97%CPEs: 9EXPL: 1CVE-2021-1498 – Cisco HyperFlex HX Data Platform Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1498
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco HyperFlex HX, podrían permitir a un atacante remoto no autenticado llevar a cabo ataques de inyección de comandos contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. • http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c https://twitter.com/ptswarm/status/1390300625129201664 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1958 – Cisco HyperFlex Software Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2019-1958
A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. Una vulnerabilidad en la interfaz de administración basada en web de HyperFlex Software de Cisco, podría permitir a un atacante remoto no autenticado conducir un ataque de tipo cross-site request forgery (CSRF) en un sistema afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-hypflex-csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.0EPSS: 0%CPEs: 12EXPL: 0CVE-2019-1667 – Cisco HyperFlex Arbitrary Statistics Write Vulnerability
https://notcve.org/view.php?id=CVE-2019-1667
A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected. • http://www.securityfocus.com/bid/107100 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-write • CWE-345: Insufficient Verification of Data Authenticity CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2019-1665 – Cisco Hyperflex Stored Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-1665
A vulnerability in the web-based management interface of Cisco HyperFlex software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Versions prior to 3.5(1a) are affected. • http://www.securityfocus.com/bid/107097 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •