6 results (0.002 seconds)

CVSS: 5.3EPSS: 96%CPEs: 9EXPL: 1

A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Una vulnerabilidad en la interfaz de administración basada en web de Cisco HyperFlex HX Data Platform, podría permitir a un atacante remoto no autenticado cargar archivos en un dispositivo afectado. • http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz https://attackerkb.com/assessments/82738621-1114-4aba-990a-9ea007b05834 • CWE-306: Missing Authentication for Critical Function •

CVSS: 9.8EPSS: 97%CPEs: 9EXPL: 1

Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco HyperFlex HX, podrían permitir a un atacante remoto no autenticado llevar a cabo ataques de inyección de comandos contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. • http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c https://twitter.com/ptswarm/status/1390300625129201664 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 97%CPEs: 8EXPL: 1

Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco HyperFlex HX, podrían permitir a un atacante remoto no autenticado llevar a cabo ataques de inyección de comandos contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user. • http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c https://twitter.com/ptswarm/status/1390300625129201664 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 0

A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device. The vulnerability is due to insufficient authentication for the statistics collection service. An attacker could exploit this vulnerability by sending properly formatted data values to the statistics collection service of an affected device. A successful exploit could allow the attacker to cause the web interface statistics view to present invalid data to users. Una vulnerabilidad en el servicio de recopilación de estadísticas de Cisco HyperFlex Software, podría permitir a un atacante remoto no autenticado inyectar valores arbitrarios sobre un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-valinj • CWE-345: Insufficient Verification of Data Authenticity •

CVSS: 6.5EPSS: 0%CPEs: 15EXPL: 0

A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack on an affected device. This vulnerability is due to insufficient HTML iframe protection. An attacker could exploit this vulnerability by directing a user to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct clickjacking or other clientside browser attacks. Una vulnerabilidad en la interfaz basada en web de Cisco HyperFlex Software podría permitir a un atacante remoto no autenticado ejecutar un ataque de tipo cross-frame scripting (XFS) sobre un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-xfs • CWE-693: Protection Mechanism Failure CWE-1021: Improper Restriction of Rendered UI Layers or Frames •