The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco Prime Collaboration Assurance

computer vulnerability alert CVE-2019-1856

Cisco Prime Collaboration Assurance: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Prime Collaboration Assurance, in order to run JavaScript code in the context of the web site.
Impacted products: Prime Collaboration Assurance.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 02/05/2019.
Identifiers: cisco-sa-20190501-pca-xss, CSCvk13522, CVE-2019-1856, VIGILANCE-VUL-29186.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Prime Collaboration Assurance, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-15450

Cisco Prime Collaboration Assurance: privilege escalation via Web-based UI File Overwrite

Synthesis of the vulnerability

An attacker can bypass restrictions via Web-based UI File Overwrite of Cisco Prime Collaboration Assurance, in order to escalate his privileges.
Impacted products: Prime Collaboration Assurance.
Severity: 2/4.
Consequences: user access/rights, data creation/edition.
Provenance: user account.
Creation date: 07/11/2018.
Identifiers: CERTFR-2018-AVI-536, cisco-sa-20181107-pca-overwrite, CSCvj07247, CVE-2018-15450, VIGILANCE-VUL-27720.

Description of the vulnerability

An attacker can bypass restrictions via Web-based UI File Overwrite of Cisco Prime Collaboration Assurance, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-15438

Cisco Prime Collaboration Assurance: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Cisco Prime Collaboration Assurance, in order to force the victim to perform operations.
Impacted products: Prime Collaboration Assurance.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 18/10/2018.
Identifiers: CERTFR-2018-AVI-502, cisco-sa-20181017-cpca-csrf, CSCvj07251, CVE-2018-15438, VIGILANCE-VUL-27558.

Description of the vulnerability

The Cisco Prime Collaboration Assurance product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Cisco Prime Collaboration Assurance, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-0458

Cisco Prime Collaboration Assurance: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Prime Collaboration Assurance, in order to run JavaScript code in the context of the web site.
Impacted products: Prime Collaboration Assurance.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/09/2018.
Identifiers: CERTFR-2018-AVI-423, cisco-sa-20180905-pca-xss, CSCvg15441, CVE-2018-0458, VIGILANCE-VUL-27159.

Description of the vulnerability

The Cisco Prime Collaboration Assurance product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco Prime Collaboration Assurance, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-5391

Linux kernel: denial of service via FragmentSmack

Synthesis of the vulnerability

An attacker can generate a fatal error via FragmentSmack of the Linux kernel, in order to trigger a denial of service.
Impacted products: GAiA, SecurePlatform, CheckPoint Security Gateway, Cisco Aironet, IOS XE Cisco, Nexus by Cisco, Prime Collaboration Assurance, Prime Infrastructure, Cisco Router, Secure ACS, Cisco CUCM, Cisco UCS, Cisco Unified CCX, Cisco IP Phone, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Junos Space, Linux, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 2016, Windows 7, Windows 8, Windows RT, openSUSE Leap, Palo Alto Firewall PA***, PAN-OS, RHEL, RSA Authentication Manager, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, ProxySG by Symantec, Synology DSM, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 16/08/2018.
Identifiers: ADV180022, CERTFR-2018-AVI-390, CERTFR-2018-AVI-392, CERTFR-2018-AVI-419, CERTFR-2018-AVI-457, CERTFR-2018-AVI-478, CERTFR-2018-AVI-533, CERTFR-2019-AVI-233, CERTFR-2019-AVI-242, cisco-sa-20180824-linux-ip-fragment, CVE-2018-5391, DLA-1466-1, DLA-1529-1, DSA-2019-062, DSA-4272-1, FragmentSmack, JSA10917, K74374841, openSUSE-SU-2018:2404-1, openSUSE-SU-2018:2407-1, openSUSE-SU-2019:0274-1, PAN-SA-2018-0012, RHSA-2018:2785-01, RHSA-2018:2791-01, RHSA-2018:2846-01, RHSA-2018:2924-01, RHSA-2018:2925-01, RHSA-2018:2933-01, RHSA-2018:2948-01, RHSA-2018:3083-01, RHSA-2018:3096-01, RHSA-2018:3459-01, RHSA-2018:3540-01, RHSA-2018:3586-01, RHSA-2018:3590-01, sk134253, SUSE-SU-2018:2344-1, SUSE-SU-2018:2374-1, SUSE-SU-2018:2380-1, SUSE-SU-2018:2381-1, SUSE-SU-2018:2596-1, SUSE-SU-2019:0541-1, SUSE-SU-2019:1289-1, SYMSA1467, Synology-SA-18:44, USN-3740-1, USN-3740-2, USN-3741-1, USN-3741-2, USN-3741-3, USN-3742-1, USN-3742-2, USN-3742-3, VIGILANCE-VUL-27009, VU#641765.

Description of the vulnerability

An attacker can generate a fatal error via FragmentSmack of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-6779

Cisco: denial of service via Log File Size

Synthesis of the vulnerability

An attacker can generate a fatal error via Log File Size of Cisco, in order to trigger a denial of service.
Impacted products: Prime Collaboration Assurance, Cisco CUCM, Cisco Unified CCX, Cisco Unity ~ precise.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 07/06/2018.
Identifiers: CERTFR-2018-AVI-270, cisco-sa-20180606-diskdos, CVE-2017-6779, VIGILANCE-VUL-26343.

Description of the vulnerability

An attacker can generate a fatal error via Log File Size of Cisco, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-6659

Cisco Prime Collaboration Assurance: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Cisco Prime Collaboration Assurance, in order to force the victim to perform operations.
Impacted products: Prime Collaboration Assurance.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 08/06/2017.
Identifiers: cisco-sa-20170607-pca, CVE-2017-6659, VIGILANCE-VUL-22924.

Description of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Cisco Prime Collaboration Assurance, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-3733

OpenSSL: denial of service via the "Encrypt-Then-Mac" option

Synthesis of the vulnerability

An attacker can change the state of the "Encrypt-Then-Mac" TLS option in a renegotiation with a server or client based on OpenSSL, in order to trigger a denial of service.
Impacted products: Cisco ASR, Cisco ATA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Router, Cisco CUCM, Cisco Manager Attendant Console, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, HP Operations, IRAD, Tivoli Storage Manager, OpenSSL, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Identity Management, Oracle iPlanet Web Server, Tuxedo, VirtualBox, WebLogic, Oracle Web Tier.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 16/02/2017.
Identifiers: 2003480, 2003620, 2003673, 2004940, CERTFR-2017-AVI-035, cisco-sa-20170130-openssl, cpuapr2019, cpujan2018, cpuoct2017, CVE-2017-3733, HPESBGN03728, VIGILANCE-VUL-21871.

Description of the vulnerability

OpenSSL implements the possibility of renegotiation of TLS option and parameters during a session.

However, for some combinations of algorithms, the negation of the state of the option "Encrypt-Then-Mac" generates a fatal error.

An attacker can therefore change the state of the "Encrypt-Then-Mac" TLS option in a renegotiation with a server or client based on OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-3843

Cisco Prime Collaboration Assurance: file download

Synthesis of the vulnerability

An attacker can traverse directories of Cisco Prime Collaboration Assurance, in order to read a file outside the service root path.
Impacted products: Prime Collaboration Assurance.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 16/02/2017.
Identifiers: CERTFR-2017-AVI-052, cisco-sa-20170215-pcp1, CVE-2017-3843, VIGILANCE-VUL-21861.

Description of the vulnerability

The Cisco Prime Collaboration Assurance product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories of Cisco Prime Collaboration Assurance, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-3844

Cisco Prime Collaboration Assurance: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Cisco Prime Collaboration Assurance, in order to read a file outside the service root path.
Impacted products: Prime Collaboration Assurance.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 16/02/2017.
Identifiers: CERTFR-2017-AVI-052, cisco-sa-20170215-pcp2, CVE-2017-3844, VIGILANCE-VUL-21859.

Description of the vulnerability

The Cisco Prime Collaboration Assurance product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories of Cisco Prime Collaboration Assurance, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.