CVSS: 9.0EPSS: 0%CPEs: 47EXPL: 0CVE-2023-20076 – Cisco IOx Application Hosting Environment Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-20076
12 Feb 2023 — A vulnerability in the Cisco IOx application hosting environment could allow an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system. This vulnerability is due to incomplete sanitization of parameters that are passed in for activation of an application. An attacker could exploit this vulnerability by deploying and activating an application in the Cisco IOx application hosting environment with a crafted activation payload file. A successful exploit coul... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-233: Improper Handling of Parameters •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3238 – Cisco IOx Application Framework Arbitrary File Creation Vulnerability
https://notcve.org/view.php?id=CVE-2020-3238
03 Jun 2020 — A vulnerability in the Cisco Application Framework component of the Cisco IOx application environment could allow an authenticated, remote attacker to write or modify arbitrary files in the virtual instance that is running on the affected device. The vulnerability is due to insufficient input validation of user-supplied application packages. An attacker who can upload a malicious package within Cisco IOx could exploit the vulnerability to modify arbitrary files. The impacts of a successful exploit are limit... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-caf-3dXM8exv • CWE-20: Improper Input Validation •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3237 – Cisco IOx Application Framework Arbitrary File Overwrite Vulnerability
https://notcve.org/view.php?id=CVE-2020-3237
03 Jun 2020 — A vulnerability in the Cisco Application Framework component of the Cisco IOx application environment could allow an authenticated, local attacker to overwrite arbitrary files in the virtual instance that is running on the affected device. The vulnerability is due to insufficient path restriction enforcement. An attacker could exploit this vulnerability by including a crafted file in an application package. An exploit could allow the attacker to overwrite files. Una vulnerabilidad en el componente Cisco App... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-caf-file-mVnPqKW9 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3233 – Cisco IOx Application Framework Local Manager Stored Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2020-3233
03 Jun 2020 — A vulnerability in the web-based Local Manager interface of the Cisco IOx Application Framework could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device. The attacker must have valid Local Manager credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based Local Manager interface of the affected software. An attacker could exploit this vulnerab... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ioxxss-wc6CqUws • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 7%CPEs: 2EXPL: 0CVE-2017-3851
https://notcve.org/view.php?id=CVE-2017-3851
22 Mar 2017 — A Directory Traversal vulnerability in the web framework code of the Cisco application-hosting framework (CAF) component of the Cisco IOx application environment could allow an unauthenticated, remote attacker to read any file from the CAF in the virtual instance running on the affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted requests to the CAF web interface. The impacts of a successful exploit are limited to the ... • http://www.securityfocus.com/bid/97013 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-3852
https://notcve.org/view.php?id=CVE-2017-3852
22 Mar 2017 — A vulnerability in the Cisco application-hosting framework (CAF) component of the Cisco IOx application environment could allow an authenticated, remote attacker to write or modify arbitrary files in the virtual instance running on the affected device. The vulnerability is due to insufficient input validation of user-supplied application packages. An attacker who can upload a malicious package within Cisco IOx could exploit the vulnerability to modify arbitrary files. The impacts of a successful exploit are... • http://www.securityfocus.com/bid/97014 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 0CVE-2017-3853 – Cisco Security Advisory 20170322-iox
https://notcve.org/view.php?id=CVE-2017-3853
22 Mar 2017 — A vulnerability in the Data-in-Motion (DMo) process installed with the Cisco IOx application environment could allow an unauthenticated, remote attacker to cause a stack overflow that could allow remote code execution with root privileges in the virtual instance running on an affected device. The vulnerability is due to insufficient bounds checking in the DMo process. An attacker could exploit this vulnerability by sending crafted packets that are forwarded to the DMo process for evaluation. The impacts of ... • http://www.securityfocus.com/bid/97011 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3805
https://notcve.org/view.php?id=CVE-2017-3805
26 Jan 2017 — A vulnerability in the web-based management interface of Cisco IOS and Cisco IOx Software could allow an unauthenticated, remote attacker to view confidential information that is displayed without authenticating to the device. Affected Products: This vulnerability affects Cisco IOS Software and Cisco IOx Software running on IR829, IR809, IE4K, and CGR1K platforms. More Information: CSCvb20897. Known Affected Releases: 1.0(0). Una vulnerabilidad en la interfaz de gestión basada en web de Cisco IOS y Cisco IO... • http://www.securityfocus.com/bid/95644 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9199
https://notcve.org/view.php?id=CVE-2016-9199
14 Dec 2016 — A vulnerability in the Cisco application-hosting framework (CAF) of Cisco IOx could allow an authenticated, remote attacker to read arbitrary files on a targeted system. Affected Products: This vulnerability affects specific releases of the Cisco IOx subsystem of Cisco IOS and IOS XE Software. More Information: CSCvb23331. Known Affected Releases: 15.2(6.0.57i)E CAF-1.1.0.0. Una vulnerabilidad en el marco de alojamiento de aplicaciones Cisco (CAF) de Cisco IOx podría permitir a un atacante remoto autenticad... • http://www.securityfocus.com/bid/94788 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •