4.3
CVE-2023-20237
- EPSS 0.05%
- Published 16.08.2023 22:15:12
- Last modified 21.11.2024 07:40:57
- Source psirt@cisco.com
- Teams watchlist Login
- Open Login
A vulnerability in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access internal HTTP services that are otherwise inaccessible. This vulnerability is due to insufficient restrictions on internally accessible http proxies. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker access to internal subnets beyond the sphere of their intended access level.
Data is provided by the National Vulnerability Database (NVD)
Cisco ≫ Intersight Virtual Appliance Version < 1.0.9-589
Cisco ≫ Intersight Assist Version-
Cisco ≫ Intersight Connected Virtual Appliance Version-
Cisco ≫ Intersight Private Virtual Appliance Version-
Cisco ≫ Intersight Connected Virtual Appliance Version-
Cisco ≫ Intersight Private Virtual Appliance Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.126 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| psirt@cisco.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.