CVE-2023-20127

Published: Apr 5, 2023Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. For more information about these vulnerabilities, see the Details section of this advisory.

Affected (6)

Products: Cisco: Prime Infrastructure

Cisco

1 product

Prime Infrastructure

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Cisco Prime Infrastructure	Up to 3.7
Cisco Prime Infrastructure	From 3.10 to 3.10.2
Cisco Prime Infrastructure	Version 3.8.1
Cisco Prime Infrastructure	Version 3.8
Cisco Prime Infrastructure	Version 3.9.1
Cisco Prime Infrastructure	Version 3.9

Related CWEs

CWE-27

Path Traversal: 'dir/../../filename'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.

References (2)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-eRPWAXLe

Source: psirt@cisco.com

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-eRPWAXLe

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.