CVE-2017-6662

EPSS 0.95%
Veröffentlicht 26.06.2017 07:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the web-based user interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker must have valid user credentials. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries which could allow the attacker to read and write files and execute remote code within the application, aka XML Injection. Cisco Prime Infrastructure software releases 1.1 through 3.1.6 are vulnerable. Cisco EPNM software releases 1.2, 2.0, and 2.1 are vulnerable. Cisco Bug IDs: CSCvc23894 CSCvc49561.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Evolved Programmable Network Manager Version1.2.0

Cisco ≫ Evolved Programmable Network Manager Version1.2.1.3

Cisco ≫ Evolved Programmable Network Manager Version1.2.200

Cisco ≫ Evolved Programmable Network Manager Version1.2.300

Cisco ≫ Evolved Programmable Network Manager Version1.2.400

Cisco ≫ Evolved Programmable Network Manager Version1.2.500

Cisco ≫ Evolved Programmable Network Manager Version2.0.0

Cisco ≫ Prime Infrastructure Version1.2

Cisco ≫ Prime Infrastructure Version1.2.0.103

Cisco ≫ Prime Infrastructure Version1.2.1

Cisco ≫ Prime Infrastructure Version1.3

Cisco ≫ Prime Infrastructure Version1.3.0.20

Cisco ≫ Prime Infrastructure Version1.4

Cisco ≫ Prime Infrastructure Version1.4.0.45

Cisco ≫ Prime Infrastructure Version1.4.1

Cisco ≫ Prime Infrastructure Version1.4.2

Cisco ≫ Prime Infrastructure Version2.0

Cisco ≫ Prime Infrastructure Version2.1.0

Cisco ≫ Prime Infrastructure Version2.2

Cisco ≫ Prime Infrastructure Version3.0

Cisco ≫ Prime Infrastructure Version3.1

Cisco ≫ Prime Infrastructure Version3.1.1

Cisco ≫ Prime Infrastructure Version3.2_base

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.95%	0.742

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8	2.1	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

http://www.securityfocus.com/bid/99194

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1038750

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-6662

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-6662

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-6662

EUVD