{"containers": {"cna": {"affected": [{"product": "Cisco IOS XE Software 16.11.1", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-06-03T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by uploading a crafted file to the web UI of an affected device. A successful exploit could allow the attacker to inject and execute arbitrary commands with root privileges on the device."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-03T17:41:04", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20200603 Cisco IOS XE Software Web UI Command Injection Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj3-44st5CcA"}], "source": {"advisory": "cisco-sa-web-cmdinj3-44st5CcA", "defect": [["CSCvq32588"]], "discovery": "INTERNAL"}, "title": "Cisco IOS XE Software Web UI Command Injection Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2020-06-03T16:00:00", "ID": "CVE-2020-3212", "STATE": "PUBLIC", "TITLE": "Cisco IOS XE Software Web UI Command Injection Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco IOS XE Software 16.11.1", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by uploading a crafted file to the web UI of an affected device. A successful exploit could allow the attacker to inject and execute arbitrary commands with root privileges on the device."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "impact": {"cvss": {"baseScore": "7.2", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-77"}]}]}, "references": {"reference_data": [{"name": "20200603 Cisco IOS XE Software Web UI Command Injection Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj3-44st5CcA"}]}, "source": {"advisory": "cisco-sa-web-cmdinj3-44st5CcA", "defect": [["CSCvq32588"]], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:24:00.845Z"}, "title": "CVE Program Container", "references": [{"name": "20200603 Cisco IOS XE Software Web UI Command Injection Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj3-44st5CcA"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2020-3212", "datePublished": "2020-06-03T17:41:04.105542Z", "dateReserved": "2019-12-12T00:00:00", "dateUpdated": "2024-09-17T00:26:03.041Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:cisco:ios_xe:16.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "E91F8704-6DAD-474A-84EA-04E4AF7BB9B1", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:ios_xe:16.11.1a:*:*:*:*:*:*:*", "matchCriteriaId": "314C7763-A64D-4023-9F3F-9A821AE4151F", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:ios_xe:16.11.1b:*:*:*:*:*:*:*", "matchCriteriaId": "5820D71D-FC93-45AA-BC58-A26A1A39C936", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:ios_xe:16.11.1c:*:*:*:*:*:*:*", "matchCriteriaId": "FC1C85DD-69CC-4AA8-B219-651D57FC3506", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:ios_xe:16.11.1s:*:*:*:*:*:*:*", "matchCriteriaId": "DB26AE0F-85D8-4EAB-B9BD-457DD81FF0FE", "vulnerable": true}, {"criteria": "cpe:2.3:o:cisco:ios_xe:16.12.1y:*:*:*:*:*:*:*", "matchCriteriaId": "93B96E01-3777-4C33-9225-577B469A6CE5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by uploading a crafted file to the web UI of an affected device. A successful exploit could allow the attacker to inject and execute arbitrary commands with root privileges on the device."}, {"lang": "es", "value": "Una vulnerabilidad en la Interfaz de Usuario web de Cisco IOS XE Software, podr\u00eda permitir a un atacante remoto autenticado ejecutar comandos arbitrarios con privilegios root en el sistema operativo subyacente de un dispositivo afectado. La vulnerabilidad es debido a un saneamiento de entrada inapropiada. Un atacante podr\u00eda explotar esta vulnerabilidad al cargar un archivo dise\u00f1ado en la Interfaz de Usuario web de un dispositivo afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante inyectar y ejecutar comandos arbitrarios con privilegios root en el dispositivo."}], "id": "CVE-2020-3212", "lastModified": "2020-06-10T15:39:58.653", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "ykramarz@cisco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-03T18:15:19.277", "references": [{"source": "ykramarz@cisco.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj3-44st5CcA"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}

{}