CVE-2020-26063 - Vulnerability Details

A vulnerability in the API endpoints of Cisco Integrated Management Controller could allow an authenticated, remote attacker to bypass authorization and take actions on a vulnerable system without authorization.
The vulnerability is due to improper authorization checks on API endpoints. An attacker could exploit this vulnerability by sending malicious requests to an API endpoint. An exploit could allow the attacker to download files from or modify limited configuration options on the affected system.There are no workarounds that address this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00083.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cisco Subscribe	Unified Computing System Subscribe

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-18693	A vulnerability in the API endpoints of Cisco Integrated Management Controller could allow an authenticated, remote attacker to bypass authorization and take actions on a vulnerable system without authorization. The vulnerability is due to improper authorization checks on API endpoints. An attacker could exploit this vulnerability by sending malicious requests to an API endpoint. An exploit could allow the attacker to download files from or modify limited configuration options on the affected system.There are no workarounds that address this vulnerability.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-zWkppJxL
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanx3-vrZbOqqD
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vsoln-arbfile-gtsEYxns
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-xss-zLW9tD3

History

Mon, 18 Nov 2024 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco unified Computing System
CPEs		cpe:2.3:a:cisco:unified_computing_system:3.2\(1d\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(2b\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(2c\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(2d\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(2e\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(2f\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3a\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3b\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3d\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3e\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3g\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3h\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3i\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3j\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3k\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3l\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3n\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3o\):::::::* cpe:2.3:a:cisco:unified_computing_system:3.2\(3p\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(1a\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(1b\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(1c\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(1d\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(2a\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(2b\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(2d\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(2e\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4a\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4b\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4c\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4d\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4e\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4f\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4g\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4h\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.0\(4i\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.1\(1a\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.1\(1b\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.1\(1c\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.1\(1d\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.1\(1e\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.1\(2a\):::::::* cpe:2.3:a:cisco:unified_computing_system:4.1\(2b\):::::::*
Vendors & Products		Cisco Cisco unified Computing System
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 18 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the API endpoints of Cisco Integrated Management Controller could allow an authenticated, remote attacker to bypass authorization and take actions on a vulnerable system without authorization. The vulnerability is due to improper authorization checks on API endpoints. An attacker could exploit this vulnerability by sending malicious requests to an API endpoint. An exploit could allow the attacker to download files from or modify limited configuration options on the affected system.There are no workarounds that address this vulnerability.
Title		Cisco Integrated Management Controller Software Authorization Bypass Vulnerability
Weaknesses		CWE-269
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-zWkppJxL https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanx3-vrZbOqqD https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vsoln-arbfile-gtsEYxns https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-xss-zLW9tD3
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/RL:X/RC:X/E:X'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2024-11-18T16:05:53.165Z

Updated: 2024-11-18T19:49:33.809Z

Reserved: 2020-09-24T00:00:00.000Z

Link: CVE-2020-26063

Vulnrichment

Updated: 2024-11-18T19:47:43.762Z

NVD

Status : Awaiting Analysis

Published: 2024-11-18T16:15:05.460

Modified: 2024-11-18T17:11:17.393

Link: CVE-2020-26063

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-269

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object