SB2024011112 - Multiple vulnerabilities in Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024011112

SB2024011112 - Multiple vulnerabilities in Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure

Published: January 11, 2024

Security Bulletin ID SB2024011112
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2023-20257)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the web-based management interface. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) OS Command Injection (CVE-ID: CVE-2023-20258)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the web-based management interface. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-20260)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper processing of command line arguments to application scripts. A local administrator can gain the elevated privileges of the root user on the underlying operating system.


4) SQL injection (CVE-ID: CVE-2023-20271)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the web-based management interface. A remote user can send a specially crafted request to the affected application and obtain or modify sensitive information that is stored in the underlying database.


Remediation

Install update from vendor's website.

References