{"containers": {"cna": {"affected": [{"product": "Cisco Prime Service Catalog", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2022-02-02T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper enforcement of Administrator privilege levels for low-value sensitive data. An attacker with read-only Administrator access to the web-based management interface could exploit this vulnerability by sending a malicious HTTP request to the page that contains the sensitive data. A successful exploit could allow the attacker to collect sensitive information about users of the system and orders that have been placed using the application."}], "exploits": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-10T17:06:36", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20220202 Cisco Prime Service Catalog Information Disclosure Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpsc-info-disc-zkJBDJ9F"}], "source": {"advisory": "cisco-sa-cpsc-info-disc-zkJBDJ9F", "defect": [["CSCwa04413"]], "discovery": "INTERNAL"}, "title": "Cisco Prime Service Catalog Information Disclosure Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2022-02-02T16:00:00", "ID": "CVE-2022-20680", "STATE": "PUBLIC", "TITLE": "Cisco Prime Service Catalog Information Disclosure Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Prime Service Catalog", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper enforcement of Administrator privilege levels for low-value sensitive data. An attacker with read-only Administrator access to the web-based management interface could exploit this vulnerability by sending a malicious HTTP request to the page that contains the sensitive data. A successful exploit could allow the attacker to collect sensitive information about users of the system and orders that have been placed using the application."}]}, "exploit": [{"lang": "en", "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "impact": {"cvss": {"baseScore": "4.3", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "20220202 Cisco Prime Service Catalog Information Disclosure Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpsc-info-disc-zkJBDJ9F"}]}, "source": {"advisory": "cisco-sa-cpsc-info-disc-zkJBDJ9F", "defect": [["CSCwa04413"]], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:17:53.025Z"}, "title": "CVE Program Container", "references": [{"name": "20220202 Cisco Prime Service Catalog Information Disclosure Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpsc-info-disc-zkJBDJ9F"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2022-20680", "datePublished": "2022-02-10T17:06:36.032914Z", "dateReserved": "2021-11-02T00:00:00", "dateUpdated": "2024-09-16T18:13:32.416Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:prime_service_catalog:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AFA6F28-0701-46CD-87FF-5839CB2AC336", "versionEndIncluding": "12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:-:*:*:*:*:*:*", "matchCriteriaId": "35E435C8-A536-4C91-AA5D-9F62B883DF7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch10:*:*:*:*:*:*", "matchCriteriaId": "6FB06987-EFC1-4757-B64A-939CD42514AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch11:*:*:*:*:*:*", "matchCriteriaId": "1F2C263D-F948-43B5-8C20-D2BA74B4AF9B", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch12:*:*:*:*:*:*", "matchCriteriaId": "14E2B5F5-2056-496E-939E-FE5172069452", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch13:*:*:*:*:*:*", "matchCriteriaId": "C93B29AC-F9AD-4D2B-A7C9-82CC853543A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch14:*:*:*:*:*:*", "matchCriteriaId": "40C1E760-ECC3-46EA-9A07-91F82C9C9DFC", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch15:*:*:*:*:*:*", "matchCriteriaId": "0E39AB69-F1D0-47A0-A588-AEF75BC7D3FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch16:*:*:*:*:*:*", "matchCriteriaId": "065D9B09-826C-4EBE-AE31-0C2C904552FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch17:*:*:*:*:*:*", "matchCriteriaId": "4C8C8E29-AD2F-4174-BF69-A1CE2F643CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch2:*:*:*:*:*:*", "matchCriteriaId": "A004DB11-C82F-4D0F-A00B-754A14C8076D", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch3:*:*:*:*:*:*", "matchCriteriaId": "6753A7CF-3962-47BA-8568-092D732A0F0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch4:*:*:*:*:*:*", "matchCriteriaId": "D08A22C9-2273-4137-8258-3ED4A6A17B11", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch6:*:*:*:*:*:*", "matchCriteriaId": "CB055BC5-86CE-4030-8A4C-7CD4C44059C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch7:*:*:*:*:*:*", "matchCriteriaId": "72888FB6-026E-44BC-8F20-C675F975071F", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch8:*:*:*:*:*:*", "matchCriteriaId": "4998401E-207F-4CC2-8ABA-E557DB1293C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:prime_service_catalog:12.1:patch9:*:*:*:*:*:*", "matchCriteriaId": "DDCDBACB-F9FF-43D5-84B0-7B14E1BD3A0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper enforcement of Administrator privilege levels for low-value sensitive data. An attacker with read-only Administrator access to the web-based management interface could exploit this vulnerability by sending a malicious HTTP request to the page that contains the sensitive data. A successful exploit could allow the attacker to collect sensitive information about users of the system and orders that have been placed using the application."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Cisco Prime Service Catalog podr\u00eda permitir a un atacante remoto autenticado acceder a informaci\u00f3n confidencial en un dispositivo afectado. Esta vulnerabilidad es debido a una aplicaci\u00f3n inapropiada de los niveles de privilegio de administrador para los datos confidenciales de bajo valor. Un atacante con acceso de administrador de s\u00f3lo lectura a la interfaz de administraci\u00f3n basada en web podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n HTTP maliciosa a la p\u00e1gina que contiene los datos confidenciales. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante recopilar informaci\u00f3n confidencial sobre los usuarios del sistema y los pedidos que han sido realizados usando la aplicaci\u00f3n"}], "id": "CVE-2022-20680", "lastModified": "2023-11-07T03:42:36.633", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2022-02-10T18:15:08.927", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpsc-info-disc-zkJBDJ9F"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}

{}