CVE-2022-20657

Опубликовано: 15 нояб. 2024

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

A vulnerability in the web-based management interface of Cisco PI and Cisco EPNM could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the interface of an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Ссылки

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-path-trav-zws324yn
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cisco:prime_infrastructure:2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:2.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:2.2:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.1.5:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.2:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.2.0-fips:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.3.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.4.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.5.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.6.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.7.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.8.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:prime_infrastructure:3.9.0:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:a:cisco:evolved_programmable_network_manager:1.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:1.2:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:2.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:2.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:2.2:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:3.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:3.0.2:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:3.0.3:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:3.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:3.1.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:3.1.2:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:3.1.3:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:4.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:4.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:4.1.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:5.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:5.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:5.1.1:*:*:*:*:*:*:*

cpe:2.3:a:cisco:evolved_programmable_network_manager:5.1.2:*:*:*:*:*:*:*

EPSS

Процентиль: 39%

0.00178

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-gg8c-67xr-mxhv

CVSS3: 6.1

github

около 1 года назад

A vulnerability in the web-based management interface of Cisco PI and Cisco EPNM could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the interface of an affected device. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

BDU:2022-00522

CVSS3: 6.5

fstec

около 4 лет назад

Уязвимость веб-интерфейса управления системы мониторинга и управления сетевым оборудованием Cisco Prime Infrastructure и программного средства управления сетевыми сервисами Cisco Evolved Programmable Network Manager, позволяющая нарушителю осуществлять межсайтовые сценарные атаки