Security Vulnerabilities - CVEs Published In October 2018
A vulnerability in the anti-spam protection mechanisms of Cisco AsyncOS Software for the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass certain content filters on an affected device. The vulnerability is due to incomplete input and validation checking mechanisms for certain Sender Policy Framework (SPF) messages that are sent to an affected device. An attacker could exploit this vulnerability by sending a customized SPF packet to an affected device. If successful, an exploit could allow the attacker to bypass the URL filters that are configured for the affected device, which could allow malicious URLs to pass through the device.
CVSS Score
5.3
EPSS Score
0.003
Published
2018-10-05
A vulnerability in the identity management service of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and take complete control of identity management functions. The vulnerability is due to insufficient security restrictions for critical management functions. An attacker could exploit this vulnerability by sending a valid identity management request to the affected system. An exploit could allow the attacker to view and make unauthorized modifications to existing system users as well as create new users.
CVSS Score
9.8
EPSS Score
0.001
Published
2018-10-05
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper access control to files within the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device. A successful exploit could allow the attacker to gain access to sensitive configuration information, including user authentication credentials.
CVSS Score
9.8
EPSS Score
0.081
Published
2018-10-05
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to the targeted device. A successful exploit could allow the attacker to gain access to arbitrary files on the affected device, resulting in the disclosure of sensitive information.
CVSS Score
9.8
EPSS Score
0.085
Published
2018-10-05
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of command input by the affected software. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device.
CVSS Score
8.8
EPSS Score
0.011
Published
2018-10-05
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to insufficient validation of command input by the affected software. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device.
CVSS Score
8.8
EPSS Score
0.011
Published
2018-10-05
A vulnerability in the error reporting feature of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability is due to a failure to properly validate certain parameters included within the error reporting application configuration. An attacker could exploit this vulnerability by sending a crafted command to the error reporting feature. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device.
CVSS Score
8.8
EPSS Score
0.017
Published
2018-10-05
A vulnerability in the command-line interface (CLI) in the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-10-05
A vulnerability in the Zero Touch Provisioning feature of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software.
CVSS Score
7.4
EPSS Score
0.001
Published
2018-10-05
A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations. The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations.
CVSS Score
9.1
EPSS Score
0.016
Published
2018-10-05