6 results (0.012 seconds)

CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0

A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level. The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device. • http://www.securityfocus.com/bid/104075 http://www.securitytracker.com/id/1040808 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1 • CWE-20: Improper Input Validation •

CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0

Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331. Cisco Secure Access Control System anterior a 5.4(0.46.2) y 5.5 anterior a 5.5(0.46) y Cisco Identity Services Engine 1.0(4.573) no implementan correctamente el control de acceso para paquetes de soporte, lo que permite a usuarios remotos autenticados obtener información sensible a través de intentos de fuerza bruta de enviar credenciales válidas, también conocido como Bug IDs CSCue00833 y CSCub40331. • http://tools.cisco.com/security/center/viewAlert.x?alertId=39501 http://www.securityfocus.com/bid/75379 http://www.securitytracker.com/id/1032713 http://www.securitytracker.com/id/1032714 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System (ACS) before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027. Múltiples vulnerabilidades de inyección SQL en las páginas de la interfaz de los informes de ACS View en Cisco Secure Access Control System (ACS) anterior a 5.5 parche 7 permiten a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través de solicitudes HTTPS manipuladas, también conocido como Bug ID CSCuq79027. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs http://www.securityfocus.com/bid/72576 http://www.securitytracker.com/id/1031740 https://exchange.xforce.ibmcloud.com/vulnerabilities/100812 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 10.0EPSS: 1%CPEs: 26EXPL: 0

The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authorization requirements, which allows remote attackers to obtain administrative access via a request to this interface, aka Bug ID CSCud75187. El interface RMI en Cisco Secure Access Control System (ACS) v5.x anterior a v5.5 no aplica correctamente los requisitos de autenticación y autorización, lo que permite a atacantes remotos obtener acceso administrativo a través de una solicitud a este interface, tambien conocido como Bug ID CSCud75187. • http://osvdb.org/102117 http://secunia.com/advisories/56213 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs http://tools.cisco.com/security/center/viewAlert.x?alertId=32379 http://www.securityfocus.com/bid/64962 http://www.securitytracker.com/id/1029634 https://exchange.xforce.ibmcloud.com/vulnerabilities/90431 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 10.0EPSS: 1%CPEs: 22EXPL: 0

The web interface in Cisco Secure Access Control System (ACS) 5.x before 5.4 Patch 3 allows remote attackers to execute arbitrary operating-system commands via a request to this interface, aka Bug ID CSCue65962. La interfaz web de Cisco Secure Access Control System (ACS) 5.x anterior a 5.4 Patch 3 permite a atacantes remotos ejecutar en el sistema operativo comandos arbitrarios a través de una solicitud a esta interfaz, también conocido como Bug ID CSCue65962. • http://osvdb.org/102115 http://secunia.com/advisories/56213 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs http://tools.cisco.com/security/center/viewAlert.x?alertId=32380 http://www.securityfocus.com/bid/64964 http://www.securitytracker.com/id/1029634 https://exchange.xforce.ibmcloud.com/vulnerabilities/90432 • CWE-20: Improper Input Validation •