Details of VAR-202007-1056

ID

VAR-202007-1056

CVE

CVE-2020-3450

TITLE

Cisco Vision Dynamic Signage Director In SQL Injection vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-008346

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker with administrative credentials to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the web-based management interface and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data that is stored in the underlying database, including hashed user credentials. To exploit this vulnerability, an attacker would need valid administrative credentials

Trust: 1.71

sources: NVD: CVE-2020-3450 // JVNDB: JVNDB-2020-008346 // VULHUB: VHN-181575

AFFECTED PRODUCTS

vendor:	cisco	model:	vision dynamic signage director	scope:	lt	version:	6.2.0	Trust: 1.0
vendor:	cisco	model:	vision dynamic signage director	scope:	eq	version:	6.2.0	Trust: 1.0
vendor:	cisco	model:	vision dynamic signage director	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-008346 // NVD: CVE-2020-3450

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3450
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3450
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-008346
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202007-1052
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-181575
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3450
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-008346
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-181575
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3450
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 2.0
NVD:	JVNDB-2020-008346
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-181575 // JVNDB: JVNDB-2020-008346 // CNNVD: CNNVD-202007-1052 // NVD: CVE-2020-3450 // NVD: CVE-2020-3450

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-181575 // JVNDB: JVNDB-2020-008346 // NVD: CVE-2020-3450

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1052

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202007-1052

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008346

PATCH

title:	cisco-sa-visio-dir-sql-inj-fPm3MPfT	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-visio-dir-sql-inj-fPm3MPfT	Trust: 0.8
title:	Cisco Vision Dynamic Signage Director SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124544	Trust: 0.6

sources: JVNDB: JVNDB-2020-008346 // CNNVD: CNNVD-202007-1052

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3450	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-008346	Trust: 0.8
db:	CNNVD	id:	CNNVD-202007-1052	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.2428	Trust: 0.6
db:	CNVD	id:	CNVD-2020-41236	Trust: 0.1
db:	VULHUB	id:	VHN-181575	Trust: 0.1

sources: VULHUB: VHN-181575 // JVNDB: JVNDB-2020-008346 // CNNVD: CNNVD-202007-1052 // NVD: CVE-2020-3450

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-visio-dir-sql-inj-fpm3mpft	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3450	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3450	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.2428/	Trust: 0.6

sources: VULHUB: VHN-181575 // JVNDB: JVNDB-2020-008346 // CNNVD: CNNVD-202007-1052 // NVD: CVE-2020-3450

SOURCES

db:	VULHUB	id:	VHN-181575
db:	JVNDB	id:	JVNDB-2020-008346
db:	CNNVD	id:	CNNVD-202007-1052
db:	NVD	id:	CVE-2020-3450

LAST UPDATE DATE

2024-11-23T23:07:55.096000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181575	date:	2020-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-008346	date:	2020-09-08T00:00:00
db:	CNNVD	id:	CNNVD-202007-1052	date:	2022-03-18T00:00:00
db:	NVD	id:	CVE-2020-3450	date:	2024-11-21T05:31:05.513

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181575	date:	2020-07-16T00:00:00
db:	JVNDB	id:	JVNDB-2020-008346	date:	2020-09-08T00:00:00
db:	CNNVD	id:	CNNVD-202007-1052	date:	2020-07-15T00:00:00
db:	NVD	id:	CVE-2020-3450	date:	2020-07-16T18:15:19.753