CVE-2018-0253
https://notcve.org/view.php?id=CVE-2018-0253
A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level. The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device. • http://www.securityfocus.com/bid/104075 http://www.securitytracker.com/id/1040808 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1 • CWE-20: Improper Input Validation •
CVE-2018-0147 – Cisco Secure Access Control System Java Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2018-0147
A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988. • http://www.securityfocus.com/bid/103328 http://www.securitytracker.com/id/1040463 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVE-2015-4219
https://notcve.org/view.php?id=CVE-2015-4219
Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331. Cisco Secure Access Control System anterior a 5.4(0.46.2) y 5.5 anterior a 5.5(0.46) y Cisco Identity Services Engine 1.0(4.573) no implementan correctamente el control de acceso para paquetes de soporte, lo que permite a usuarios remotos autenticados obtener información sensible a través de intentos de fuerza bruta de enviar credenciales válidas, también conocido como Bug IDs CSCue00833 y CSCub40331. • http://tools.cisco.com/security/center/viewAlert.x?alertId=39501 http://www.securityfocus.com/bid/75379 http://www.securitytracker.com/id/1032713 http://www.securitytracker.com/id/1032714 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-0580
https://notcve.org/view.php?id=CVE-2015-0580
Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System (ACS) before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027. Múltiples vulnerabilidades de inyección SQL en las páginas de la interfaz de los informes de ACS View en Cisco Secure Access Control System (ACS) anterior a 5.5 parche 7 permiten a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través de solicitudes HTTPS manipuladas, también conocido como Bug ID CSCuq79027. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs http://www.securityfocus.com/bid/72576 http://www.securitytracker.com/id/1031740 https://exchange.xforce.ibmcloud.com/vulnerabilities/100812 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-0648
https://notcve.org/view.php?id=CVE-2014-0648
The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authorization requirements, which allows remote attackers to obtain administrative access via a request to this interface, aka Bug ID CSCud75187. El interface RMI en Cisco Secure Access Control System (ACS) v5.x anterior a v5.5 no aplica correctamente los requisitos de autenticación y autorización, lo que permite a atacantes remotos obtener acceso administrativo a través de una solicitud a este interface, tambien conocido como Bug ID CSCud75187. • http://osvdb.org/102117 http://secunia.com/advisories/56213 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs http://tools.cisco.com/security/center/viewAlert.x?alertId=32379 http://www.securityfocus.com/bid/64962 http://www.securitytracker.com/id/1029634 https://exchange.xforce.ibmcloud.com/vulnerabilities/90431 • CWE-264: Permissions, Privileges, and Access Controls •