CVSS: 9.3EPSS: 0%CPEs: 37EXPL: 0CVE-2015-0691
https://notcve.org/view.php?id=CVE-2015-0691
A certain Cisco JAR file, as distributed in Cache Cleaner in Cisco Secure Desktop (CSD), allows remote attackers to execute arbitrary commands via a crafted web site, aka Bug ID CSCup83001. Cierto fichero Cisco JAR, distribuido en Cache Cleaner en Cisco Secure Desktop (CSD), permite a atacantes remotos ejecutar comandos arbitrarios a través de un sitio web manipulado, también conocido como Bug ID CSCup83001. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd http://www.securitytracker.com/id/1032140 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.3EPSS: 2%CPEs: 25EXPL: 0CVE-2012-4655
https://notcve.org/view.php?id=CVE-2012-4655
The WebLaunch feature in Cisco Secure Desktop before 3.6.6020 does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code via vectors involving (1) ActiveX or (2) Java components, aka Bug IDs CSCtz76128 and CSCtz78204. La funcionalidad WebLaunch en Cisco Secure Desktop antes de v3.6.6020 no valida adecuadamente los binarios recibidos por el proceso de descarga, lo que permite a cualquier atacante ejecutar código de su elección a través de vectores relacionados con (1) ActiveX o (2) componentes Java. El problema esta identificado con los Bug IDs CSCtz76128 y CSCtz78204. • http://secunia.com/advisories/50669 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac http://www.securityfocus.com/bid/55606 https://exchange.xforce.ibmcloud.com/vulnerabilities/78677 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2012-2495
https://notcve.org/view.php?id=CVE-2012-2495
The HostScan downloader implementation in Cisco AnyConnect Secure Mobility Client 3.x before 3.0 MR8 and Cisco Secure Desktop before 3.6.6020 does not compare the timestamp of offered software to the timestamp of installed software, which allows remote attackers to force a version downgrade by using (1) ActiveX or (2) Java components to offer signed code that corresponds to an older software release, aka Bug ID CSCtx74235. La implementación de HostScan en Cisco AnyConnect Secure Mobility Client v3.x antes de v3.0 MR8 y Cisco Secure Desktop antes de v3.6.6020 no compara la marca de tiempo del software ofrecido con la marca de tiempo del software instalado, lo que permite forzar una rebaja de la versión a atacantes remotos mediante el uso de componentes (1) ActiveX o (2) Java para ofrecer código firmado que corresponde a una versión anterior del software. Se trata de un prblema también conocido como Bug ID CSCtx74235. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ac • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 12%CPEs: 12EXPL: 0CVE-2010-0589 – Cisco Secure Desktop CSDWebInstaller ActiveX Control Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-0589
The Web Install ActiveX control (CSDWebInstaller) in Cisco Secure Desktop (CSD) before 3.5.841 does not properly verify the signatures of downloaded programs, which allows remote attackers to force the download and execution of arbitrary files via a crafted web page, aka Bug ID CSCta25876. El control ActiveX Web Install ActiveX en Cisco Secure Desktop (CSD) anterior a v3.5.841, no verifica adecuadamente las firmas de los programas descargados, lo que permite a atacantes remotos forzar las descargas y ejecuciones de archivos de su elección a través de una página web manipulada. También conocido con el Bug ID CSCta25876. This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of Cisco Secure Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the Secure Desktop Web Install ActiveX control (705EC6D4-B138-4079-A307-EF13E4889A82). • http://securitytracker.com/id?1023881 http://www.cisco.com/en/US/products/products_security_advisory09186a0080b25d01.shtml http://www.securityfocus.com/bid/39478 http://www.zerodayinitiative.com/advisories/ZDI-10-072 https://exchange.xforce.ibmcloud.com/vulnerabilities/57812 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 3CVE-2010-0440 – Cisco Secure Desktop 3.x - 'translation' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-0440
Cross-site scripting (XSS) vulnerability in +CSCOT+/translation in Cisco Secure Desktop 3.4.2048, and other versions before 3.5; as used in Cisco ASA appliance before 8.2(1), 8.1(2.7), and 8.0(5); allows remote attackers to inject arbitrary web script or HTML via a crafted POST parameter, which is not properly handled by an eval statement in binary/mainv.js that writes to start.html. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en +CSCOT+/translation en Cisco Secure Desktop v3.4.2048, y otras versiones anteriores a la v3.5; tal y como lo utiliza el appliance Cisco ASA anteriores a v8.2(1), v8.1(2.7), y v8.0(5); permite a atacantes remotos inyectar secuencias arbitrarias de comandos web o HTML a través de un parámetro POST manipulado, el cual no es correctamente gestionado por una declaración eval en binary/mainv.js que escribe start.html. • https://www.exploit-db.com/exploits/33567 http://secunia.com/advisories/38397 http://tools.cisco.com/security/center/viewAlert.x?alertId=19843 http://www.coresecurity.com/content/cisco-secure-desktop-xss http://www.securityfocus.com/archive/1/509290/100/0/threaded http://www.securityfocus.com/bid/37960 http://www.vupen.com/english/advisories/2010/0273 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •