VARIoT IoT vulnerabilities database

A vulnerability in the Multiprotocol Label Switching (MPLS) Operations, Administration, and Maintenance (OAM) implementation of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to the incorrect handling of certain MPLS OAM packets. An attacker could exploit this vulnerability by sending malicious MPLS OAM packets to an affected device. A successful exploit could allow the attacker to cause the lspv_server process to crash. The crash could lead to system instability and the inability to process or forward traffic though the device, resulting in a DoS condition that require manual intervention to restore normal operating conditions. Cisco IOS XR The software contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug ID CSCvk63685. Cisco ASR 9000 Series is a 9000 series enterprise-class router of Cisco (Cisco). The vulnerability stems from the failure of the network system or product to properly validate the input data

A vulnerability in the dashboard gadget rendering of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to obtain or manipulate sensitive information between a user’s browser and Cisco Unified Intelligence Center. The vulnerability is due to the lack of gadget validation. An attacker could exploit this vulnerability by forcing a user to load a malicious gadget. A successful exploit could allow the attacker to obtain sensitive information, such as current user credentials, or manipulate data between the user’s browser and Cisco Unified Intelligence Center in the context of the malicious gadget. This issue being tracked by Cisco Bug ID CSCvo98208. The platform provides report related business data and display function of call center data

A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol parser of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured policies. The vulnerability is due to improper parsing of specific attributes in a TLS packet header. An attacker could exploit this vulnerability by sending malicious TLS messages to the affected system. A successful exploit could allow the attacker to bypass the configured policies for the system, which could allow traffic to flow through without being inspected. Cisco Firepower Threat Defense (FTD) The software is vulnerable to a defect in the protection mechanism.Information may be tampered with. This issue is being tracked by Cisco Bug CSCvi81022

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager software could allow an authenticated, remote attacker to download and view files within the application that should be restricted. This vulnerability is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. A successful exploit could allow the attacker to view application files that may contain sensitive information. This issue is being tracked by Cisco Bug ID CSCvo28684 and CSCvo62276. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths. The following products and versions are affected: Cisco PI Software versions prior to 3.4, versions prior to 3.5, and versions prior to 3.6; Cisco EPN Manager versions prior to 3.0.1

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by crafting an unsigned software patch to bypass signature checks and loading it on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image. Cisco NX-OS The software contains a vulnerability related to digital signature verification.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Cisco Products prone to an local security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug IDs CSCvi42264 and CSCvj12239. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. The vulnerability stems from a network system or product not adequately verifying the origin or authenticity of data. Attackers can use forged data to attack. The following products and versions are affected: Cisco MDS 9700 Series Multilayer Directors; Nexus 7000 Series Switches; Nexus 7700 Series Switches; UCS 6200 Series Fabric Interconnects; UCS 6300 Series Fabric Interconnects

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by loading an unsigned software patch on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image. Cisco NX-OS The software contains a vulnerability related to digital signature verification.Information may be tampered with. Multiple Cisco Products prone to an local security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvi42248. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. The vulnerability stems from a network system or product not adequately verifying the origin or authenticity of data. Attackers can use forged data to attack. The following products and versions are affected: Cisco MDS 9700 Series Multilayer Directors; Nexus 7000 Series Switches; Nexus 7700 Series Switches

A vulnerability in the interactions between the DHCP and TFTP features for Cisco Small Business 300 Series (Sx300) Managed Switches could allow an unauthenticated, remote attacker to cause the device to become low on system memory, which in turn could lead to an unexpected reload of the device and result in a denial of service (DoS) condition on an affected device. The vulnerability is due to a failure to free system memory when an unexpected DHCP request is received. An attacker could exploit this vulnerability by sending a crafted DHCP packet to the targeted device. A successful exploit could allow the attacker to cause an unexpected reload of the device. Cisco Small Business 300 Series (Sx300) Managed Switch Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. CiscoSmallBusiness300SeriesManagedSwitches is a switch device from Cisco. This issue is being tracked by Cisco Bug ID CSCvn17215. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. Cisco FXOS and Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug IDs CSCvh20029, CSCvh20359, CSCvh66202, CSCvh66214, CSCvh66219, CSCvh66243, CSCvh66257, CSCvh66259 and CSCvk30761. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The following products and versions are affected: Cisco Firepower 4100 Series; Firepower 9300 Security Appliances; MDS 9000 Series Multilayer Switches; Nexus 1000V Switch for Microsoft Hyper-V; Nexus 1000V Switch for VMware vSphere; Nexus 3000 Series Switches; 3600 Platform Switches ; Nexus 5500 Platform Switches ; Nexus 5600 Platform Switches ; Nexus 6000 Series Switches ; Nexus 7000 Series Switches ; Nexus 7700 Series Switches ; Nexus 9000 Series Switches in standalone NX-OS mode ; Nexus 9500 R-Series Switching Platform ; UCS 6200 Series Fabric Interconnects; UCS 6300 Series Fabric Interconnects

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands with elevated privileges on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS is prone to a local command-injection vulnerability. This issue is being tracked by Cisco Bug IDs CSCvj63270, CSCvj63667, CSCvk50873, CSCvk50876, CSCvk50889. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. A command injection vulnerability exists in the CLI in Cisco NX-OS Software. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The following products and versions are affected: Cisco MDS 9000 Series Multilayer Switches; Nexus 3000 Series Switches; Nexus 3500 Platform Switches; Nexus 3600 Platform Switches; Nexus 5500 Platform Switches; Nexus 5600 Platform Switches; 7700 Series Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands on the underlying Linux operating system of an attached line card with the privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system of an attached line card with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. Cisco NX-OS The software includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS is prone to a local command-injection vulnerability. This issue is being tracked by Cisco Bug IDs CSCvh20032, CSCvj00299. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. The following products and versions are affected: Cisco Nexus 3000 Series Switches; Nexus 3500 Platform Switches; Nexus 3600 Platform Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform

A vulnerability in the Image Signature Verification feature used in an NX-OS CLI command in Cisco Nexus 3000 Series and 9000 Series Switches could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device. Note: If the device has not been patched for the vulnerability previously disclosed in the Cisco Security Advisory cisco-sa-20190306-nxos-sig-verif, a successful exploit could allow the attacker to boot a malicious software image. Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches are products of Cisco. The Cisco Nexus 3000 Series Switches is a 3000 Series switch. The Cisco Nexus 9000 Series Switches is a 9000 Series switch. Attackers can use fake data to attack. Successfully exploiting this issue may allow an attacker to perform unauthorized actions. This may lead to other attacks. This issue is being tracked by Cisco Bug ID CSCvj14078. The following products and versions are affected: Cisco N3K-C3164Q; N3K-C3232C; N9K-C92304QC; N9K-C9232C

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device. Cisco NX-OS The software contains a vulnerability related to digital signature verification.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Successfully exploiting these issues may allow an attacker to perform unauthorized actions. This may lead to other attacks. This issue is being tracked by Cisco Bug IDs CSCvj14093, CSCvj14106, CSCvj14182, CSCvk53125, CSCvk53227, CSCvk53256. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. The vulnerability stems from a network system or product not adequately verifying the origin or authenticity of data. Attackers can use forged data to attack. The following products and versions are affected: Cisco Nexus 3000 Series Switches; Nexus 3600 Platform Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device. Cisco NX-OS The software contains a vulnerability related to digital signature verification.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Successfully exploiting these issues may allow an attacker to perform unauthorized actions. This may lead to other attacks. This issue is being tracked by Cisco Bug IDs CSCvj14093, CSCvj14106, CSCvj14182, CSCvk53125, CSCvk53227, CSCvk53256. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. The vulnerability stems from a network system or product not adequately verifying the origin or authenticity of data. Attackers can use forged data to attack. The following products and versions are affected: Cisco Nexus 3000 Series Switches; Nexus 3600 Platform Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device. Cisco NX-OS The software contains a vulnerability related to digital signature verification.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Successfully exploiting these issues may allow an attacker to perform unauthorized actions. This may lead to other attacks. This issue is being tracked by Cisco Bug IDs CSCvj14093, CSCvj14106, CSCvj14182, CSCvk53125, CSCvk53227, CSCvk53256

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device with elevated privileges. The vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need valid device credentials to exploit this vulnerability. Cisco FXOS and Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug IDs CSCve51688, CSCvh76126, CSCvj00412, CSCvj00416 and CSCvj00418. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The following products and versions are affected: Cisco Firepower 4100 Series ; Firepower 9300 Security Appliances ; MDS 9000 Series Multilayer Switches ; Nexus 3000 Series Switches ; Nexus 3500 Platform Switches ; Nexus 3600 Platform Switches ; Nexus 5500 Platform Switches ; Nexus 5600 Platform Switches ; Nexus 6000 Series Switches; Nexus 7000 Series Switches; Nexus 7700 Series Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. Cisco NX-OS The software includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS Software is prone to a local command-injection vulnerability. This issue is being tracked by Cisco Bug IDs CSCvh20076, CSCvh20081, CSCvi96429, CSCvi96431, CSCvi96432 and CSCvi96433. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. The following products and versions are affected: Cisco MDS 9000 Series Multilayer Switches; Nexus 3000 Series Switches; Nexus 3500 Platform Switches; Nexus 3600 Platform Switches; Nexus 5500 Platform Switches; Nexus 5600 Platform Switches; 7700 Series Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform; UCS 6200 Series Fabric Interconnects; UCS 6300 Series Fabric Interconnects

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need administrator credentials to exploit this vulnerability. Cisco FXOS and Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug IDs CSCvh20027, CSCvh20389, CSCvi01445, CSCvi01448, CSCvi91985, CSCvi92126, CSCvi92128, CSCvi92129, CSCvi92130, CSCvi96522, CSCvi96524, CSCvi96525, CSCvi96526 and CSCvi96527. Both Cisco NX-OS Software and Cisco FXOS Software are products of Cisco (Cisco). This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The following products and versions are affected: Cisco Firepower 4100 Series ; Firepower 9300 Security Appliances ; MDS 9000 Series Multilayer Switches ; Nexus 3000 Series Switches ; Nexus 3500 Platform Switches ; Nexus 3600 Platform Switches ; Nexus 5500 Platform Switches ; Nexus 5600 Platform Switches ; Nexus 6000 Series Switches; Nexus 7000 Series Switches; Nexus 7700 Series Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform; UCS 6200 Series Fabric Interconnects; UCS 6300 Series Fabric Interconnects

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need administrator credentials to exploit this vulnerability. Cisco FXOS and Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco Bug IDs CSCvh20027, CSCvh20389, CSCvi01445, CSCvi01448, CSCvi91985, CSCvi92126, CSCvi92128, CSCvi92129, CSCvi92130, CSCvi96522, CSCvi96524, CSCvi96525, CSCvi96526 and CSCvi96527. Both Cisco NX-OS Software and Cisco FXOS Software are products of Cisco (Cisco). This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The following products and versions are affected: Cisco Firepower 4100 Series ; Firepower 9300 Security Appliances ; MDS 9000 Series Multilayer Switches ; Nexus 3000 Series Switches ; Nexus 3500 Platform Switches ; Nexus 3600 Platform Switches ; Nexus 5500 Platform Switches ; Nexus 5600 Platform Switches ; Nexus 6000 Series Switches; Nexus 7000 Series Switches; Nexus 7700 Series Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform; UCS 6200 Series Fabric Interconnects; UCS 6300 Series Fabric Interconnects

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. Cisco NX-OS The software includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS is prone to a local command-injection vulnerability. This issue is being tracked by Cisco Bug IDs CSCvh75996 and CSCvj03877. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. The following products and versions are affected: Cisco Nexus 3000 Series Switches; Nexus 3500 Platform Switches; Nexus 3600 Platform Switches; Nexus 9000 Series Switches in standalone NX-OS mode; Nexus 9500 R-Series Switching Platform

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS Software is prone to a local command-injection vulnerability. This issue is being tracked by Cisco Bug ID and CSCvi42281 and CSCvj03966. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The following products and versions are affected: Cisco Nexus 5500 Platform Switches; Nexus 5600 Platform Switches; Nexus 6000 Series Switches; Nexus 7000 Series Switches; Nexus 7700 Series Switches