Main Vulnerability Database Vulnerabilities #VU94511

#VU94511 Unverified Password Change in Cisco Smart Software Manager On-Prem - CVE-2024-20419

Published: July 18, 2024 / Updated: September 24, 2024

Vulnerability identifier: #VU94511

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2024-20419

CWE-ID: CWE-620

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Cisco Smart Software Manager On-Prem

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to lack of proper validation of the old password before setting a new password. A remote attacker can send specially crafted HTTP requests and access the web UI or API with the privileges of the compromised user.

Remediation

Install updates from vendor's website.

External links

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy