CVE-2017-12285 – Cisco Prime Network Analysis Module graph sfile Parameter Directory Traversal Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2017-12285
A vulnerability in the web interface of Cisco Network Analysis Module Software could allow an unauthenticated, remote attacker to delete arbitrary files from an affected system, aka Directory Traversal. The vulnerability exists because the affected software does not perform proper input validation of HTTP requests that it receives and the software does not apply role-based access controls (RBACs) to requested HTTP URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker to delete arbitrary files from the affected system. Cisco Bug IDs: CSCvf41365. • http://www.securityfocus.com/bid/101527 http://www.securitytracker.com/id/1039623 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-nam • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2016-1390
https://notcve.org/view.php?id=CVE-2016-1390
Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(1) and Prime Virtual Network Analysis Module (vNAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(1) allow local users to obtain root access via crafted CLI input, aka Bug ID CSCuy21892. Cisco Prime Network Analysis Module (NAM) en versiones anteriores a 6.1(1) patch.6.1-2-final y 6.2.x en versiones anteriores a 6.2(1) y Prime Virtual Network Analysis Module (vNAM) en versiones anteriores a 6.1(1) patch.6.1-2-final y 6.2.x en versiones anteriores a 6.2(1) permiten a usuarios locales obtener acceso root a través de una entrada CLI manipulada, también conocido como Bug ID CSCuy21892. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160601-prime1 http://www.securitytracker.com/id/1036015 • CWE-20: Improper Input Validation •
CVE-2016-1391
https://notcve.org/view.php?id=CVE-2016-1391
Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(2) and Prime Virtual Network Analysis Module (vNAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(2) allow remote authenticated users to execute arbitrary OS commands via a crafted HTTP request, aka Bug ID CSCuy21889. Cisco Prime Network Analysis Module (NAM) en versiones anteriores a 6.1(1) patch.6.1-2-final y 6.2.x en versiones anteriores a 6.2(2) y Prime Virtual Network Analysis Module (vNAM) en versiones anteriores a 6.1(1) patch.6.1-2-final y 6.2.x en versiones anteriores a 6.2(2) permite a usuarios remotos autenticados ejecutar comandos de SO arbitrarios a través de una petición HTTP manipulada, también conocido como Bug ID CSCuy21889. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160601-prime2 http://www.securitytracker.com/id/1036014 • CWE-20: Improper Input Validation •
CVE-2016-1388
https://notcve.org/view.php?id=CVE-2016-1388
Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(1) and Prime Virtual Network Analysis Module (vNAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(1) allow remote attackers to execute arbitrary OS commands via a crafted HTTP request, aka Bug ID CSCuy21882. Cisco Prime Network Analysis Module (NAM) en versiones anteriores a 6.1(1) patch.6.1-2-final y 6.2.x en versiones anteriores a 6.2(1) y Prime Virtual Network Analysis Module (vNAM) en versiones anteriores a 6.1(1) patch.6.1-2-final y 6.2.x en versiones anteriores a 6.2(1) permiten a atacantes remotos ejecutar comandos de SO arbitrarios a través de una petición HTTP manipulada, también conocido como Bug ID CSCuy21882. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160601-prime http://www.securitytracker.com/id/1036013 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2016-1370
https://notcve.org/view.php?id=CVE-2016-1370
Cisco Prime Network Analysis Module (NAM) before 6.2(1-b) miscalculates IPv6 payload lengths, which allows remote attackers to cause a denial of service (mond process crash and monitoring outage) via crafted IPv6 packets, aka Bug ID CSCuy37324. Cisco Prime Network Analysis Module (NAM) en versiones anteriores a 6.2(1-b) calcula mal las longitudes de payload IPv6, lo que permite a atacantes remotos provocar una denegación de servicio (caída de proceso mond e interrupción de monitorización) a través de paquetes IPv6 manipulados, también conocido como Bug ID CSCuy37324. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160601-prime3 http://www.securitytracker.com/id/1036016 • CWE-20: Improper Input Validation •