CVE-2017-6662
Cisco Prime Infrastructure 3.1.6 XXE Injection / XSS / LFD / SQL Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability in the web-based user interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker must have valid user credentials. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries which could allow the attacker to read and write files and execute remote code within the application, aka XML Injection. Cisco Prime Infrastructure software releases 1.1 through 3.1.6 are vulnerable. Cisco EPNM software releases 1.2, 2.0, and 2.1 are vulnerable. Cisco Bug IDs: CSCvc23894 CSCvc49561.
Una vulnerabilidad en la interfaz de usuario basada en web de Prime Infrastructure (PI) y Evolved Programmable Network Manager (EPNM) de Cisco, podría permitir a un atacante remoto identificado acceder a la información almacenada en el sistema afectado, así como a realizar ejecución de código remota. El atacante necesita tener credenciales de usuario válidas. La vulnerabilidad es debido al control inapropiado de las entradas de tipo XML External Entity (XXE) cuando se analiza un archivo XML. Un atacante podría explotar esta vulnerabilidad mediante el convencimiento del administrador de un sistema afectado para importar un archivo XML especialmente diseñado con entradas maliciosas que podrían permitir al atacante leer y escribir archivos y ejecutar código remoto dentro de la aplicación, también se conoce como Inyección XML. El software Prime Infrastructure en las versiones 1.1 hasta 3.1.6 de Cisco es vulnerable. El software de EPNM en las versiones 1.2, 2.0 y 2.1 de Cisco son vulnerables. IDs de bug de Cisco: CSCvc23894 CSCvc49561.
Cisco Prime Infrastructure versions 1.1 through 3.1.6 suffer from cross site scripting, XML external entity injection, file disclosure, and remote SQL injection vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-03-09 CVE Reserved
- 2017-06-22 CVE Published
- 2023-08-22 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/99194 | Third Party Advisory | |
| http://www.securitytracker.com/id/1038750 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1 | 2019-07-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cisco Search vendor "Cisco" | Evolved Programmable Network Manager Search vendor "Cisco" for product "Evolved Programmable Network Manager" | 1.2.0 Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version "1.2.0" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Evolved Programmable Network Manager Search vendor "Cisco" for product "Evolved Programmable Network Manager" | 1.2.1.3 Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version "1.2.1.3" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Evolved Programmable Network Manager Search vendor "Cisco" for product "Evolved Programmable Network Manager" | 1.2.200 Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version "1.2.200" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Evolved Programmable Network Manager Search vendor "Cisco" for product "Evolved Programmable Network Manager" | 1.2.300 Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version "1.2.300" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Evolved Programmable Network Manager Search vendor "Cisco" for product "Evolved Programmable Network Manager" | 1.2.400 Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version "1.2.400" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Evolved Programmable Network Manager Search vendor "Cisco" for product "Evolved Programmable Network Manager" | 1.2.500 Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version "1.2.500" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Evolved Programmable Network Manager Search vendor "Cisco" for product "Evolved Programmable Network Manager" | 2.0\(4.0.45d\) Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version "2.0\(4.0.45d\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Evolved Programmable Network Manager Search vendor "Cisco" for product "Evolved Programmable Network Manager" | 2.0.0 Search vendor "Cisco" for product "Evolved Programmable Network Manager" and version "2.0.0" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.2 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.2" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.2.0.103 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.2.0.103" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.2.1 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.2.1" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.3 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.3" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.3.0.20 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.3.0.20" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.4 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.4" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.4.0.45 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.4.0.45" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.4.1 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.4.1" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 1.4.2 Search vendor "Cisco" for product "Prime Infrastructure" and version "1.4.2" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 2.0 Search vendor "Cisco" for product "Prime Infrastructure" and version "2.0" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 2.1.0 Search vendor "Cisco" for product "Prime Infrastructure" and version "2.1.0" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 2.2 Search vendor "Cisco" for product "Prime Infrastructure" and version "2.2" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 2.2\(2\) Search vendor "Cisco" for product "Prime Infrastructure" and version "2.2\(2\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 2.2\(3\) Search vendor "Cisco" for product "Prime Infrastructure" and version "2.2\(3\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 3.0 Search vendor "Cisco" for product "Prime Infrastructure" and version "3.0" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 3.1 Search vendor "Cisco" for product "Prime Infrastructure" and version "3.1" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 3.1\(0.128\) Search vendor "Cisco" for product "Prime Infrastructure" and version "3.1\(0.128\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 3.1\(4.0\) Search vendor "Cisco" for product "Prime Infrastructure" and version "3.1\(4.0\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 3.1\(5.0\) Search vendor "Cisco" for product "Prime Infrastructure" and version "3.1\(5.0\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 3.1.1 Search vendor "Cisco" for product "Prime Infrastructure" and version "3.1.1" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 3.2\(0.0\) Search vendor "Cisco" for product "Prime Infrastructure" and version "3.2\(0.0\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Prime Infrastructure Search vendor "Cisco" for product "Prime Infrastructure" | 3.2_base Search vendor "Cisco" for product "Prime Infrastructure" and version "3.2_base" | - |
Affected
| ||||||