CVE-2018-15450 – Cisco Prime Collaboration Assurance File Overwrite Vulnerability
https://notcve.org/view.php?id=CVE-2018-15450
A vulnerability in the web-based UI of Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to overwrite files on the file system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by using a specific UI input field to provide a custom path location. A successful exploit could allow the attacker to overwrite files on the file system. Una vulnerabilidad en la interfaz de usuario web de Cisco Prime Collaboration Assurance podría permitir que un atacante remoto autenticado sobrescriba archivos en el sistema de archivos. • http://www.securityfocus.com/bid/105864 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-pca-overwrite • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-15389 – Cisco Prime Collaboration Provisioning Intermittent Hard-Coded Password Vulnerability
https://notcve.org/view.php?id=CVE-2018-15389
A vulnerability in the install function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the administrative web interface using a default hard-coded username and password that are used during install. The vulnerability is due to a hard-coded password that, in some cases, is not replaced with a unique password. A successful exploit could allow the attacker to access the administrative web interface with administrator-level privileges. Una vulnerabilidad en la función de instalación de Cisco Prime Collaboration Provisioning (PCP) podría permitir que un atacante remoto no autenticado acceda a la interfaz web de administración mediante un usuario y contraseña por defecto embebidos empleados durante la instalación. La vulnerabilidad se debe a una contraseña embebida que, en algunos casos, no se reemplaza con una contraseña única. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-cpcp-password • CWE-255: Credentials Management Errors CWE-798: Use of Hard-coded Credentials •
CVE-2018-0391
https://notcve.org/view.php?id=CVE-2018-0391
A vulnerability in the password change function of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to cause the system to become inoperable. The vulnerability is due to insufficient validation of a password change request. An attacker could exploit this vulnerability by changing a specific administrator account password. A successful exploit could allow the attacker to cause the affected device to become inoperable, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.2 and prior. • http://www.securityfocus.com/bid/104942 http://www.securitytracker.com/id/1041409 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180801-pcp-dos • CWE-285: Improper Authorization •
CVE-2018-0336
https://notcve.org/view.php?id=CVE-2018-0336
A vulnerability in the batch provisioning feature of Cisco Prime Collaboration Provisioning could allow an authenticated, remote attacker to escalate privileges to the Administrator level. The vulnerability is due to insufficient authorization enforcement on batch processing. An attacker could exploit this vulnerability by uploading a batch file and having the batch file processed by the system. A successful exploit could allow the attacker to escalate privileges to the Administrator level. Cisco Bug IDs: CSCvd86578. • http://www.securityfocus.com/bid/104429 http://www.securitytracker.com/id/1041083 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-escalation • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2018-0322
https://notcve.org/view.php?id=CVE-2018-0322
A vulnerability in the web management interface of Cisco Prime Collaboration Provisioning (PCP) could allow an authenticated, remote attacker to modify sensitive data that is associated with arbitrary accounts on an affected device. The vulnerability is due to a failure to enforce access restrictions on the Help Desk and User Provisioning roles that are assigned to authenticated users. This failure could allow an authenticated attacker to modify critical attributes of higher-privileged accounts on the device. A successful exploit could allow the attacker to gain elevated privileges on the device. This vulnerability affects Cisco Prime Collaboration Provisioning (PCP) Releases 12.1 and prior. • http://www.securityfocus.com/bid/104443 http://www.securitytracker.com/id/1041064 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-access • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •