CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2018-0253
https://notcve.org/view.php?id=CVE-2018-0253
A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level. The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device. • http://www.securityfocus.com/bid/104075 http://www.securitytracker.com/id/1040808 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12354
https://notcve.org/view.php?id=CVE-2017-12354
A vulnerability in the web-based interface of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to view sensitive information on an affected system. The vulnerability exists because the affected software does not sufficiently protect system software version information when the software responds to HTTP requests that are sent to the web-based interface of the software. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based interface of the affected software. A successful exploit could allow the attacker to view sensitive information about the software, which the attacker could use to conduct additional reconnaissance attacks. Cisco Bug IDs: CSCvf66155. • http://www.securityfocus.com/bid/101986 http://www.securitytracker.com/id/1039923 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2017-6769
https://notcve.org/view.php?id=CVE-2017-6769
A vulnerability in the web-based management interface of the Cisco Secure Access Control System (ACS) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected system. More Information: CSCve70587. Known Affected Releases: 5.8(0.8) 5.8(1.5). Una vulnerabilidad en la interfaz de gestión web de Cisco Secure Access Control System (ACS) podría permitir que un atacante remoto autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS) almacenado, contra un usuario de dicha interfaz en un sistema afectado. Más información: CSCve70587. • http://www.securityfocus.com/bid/99985 http://www.securitytracker.com/id/1038996 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170726-acs • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3839
https://notcve.org/view.php?id=CVE-2017-3839
An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5). Una vulnerabilidad XML External Entity en la interfaz de usuario basada en web de Cisco Secure Access Control System (ACS) podría permitir a un atacante remoto no autenticado tener acceso de lectura a parte de la información almacenada en el sistema afectado. Más Información: CSCvc04845. • http://www.securityfocus.com/bid/96236 http://www.securitytracker.com/id/1037836 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs1 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3841
https://notcve.org/view.php?id=CVE-2017-3841
A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information. More Information: CSCvc04854. Known Affected Releases: 5.8(2.5). Una vulnerabilidad en la interfaz web de Cisco Secure Access Control System (ACS) podría permitir a un atacante remoto no autenticado revelar información sensible. Más Información: CSCvc04854. • http://www.securityfocus.com/bid/96237 http://www.securitytracker.com/id/1037838 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •