Information disclosure in Cisco License Manager
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-12263 |
| CWE-ID | CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Cisco License Manager Client/Desktop applications / Other client software |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Directory traversal
EUVDB-ID: #VU8716
Risk: Low
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12263
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the web interface of Cisco License Manager software due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. A remote attacker can use directory traversal techniques to submit a path to a desired file location and view application files which may contain sensitive information.
Successful exploitation of the vulnerability results in information disclosure.
No release planned to fix this bug.
Vulnerable software versionsCisco License Manager: 3.2.6
CPE2.3 External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-clm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
