The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco Secure Access Control System

computer vulnerability announce CVE-2013-5536

Cisco Secure ACS: denial of service via Distributed Deployment

Synthesis of the vulnerability

An attacker can send floods of packets to Cisco Secure ACS Distributed Deployment, which are not filtered by the firewall, and stop processes, in order to trigger a denial of service.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 23/10/2013.
Identifiers: BID-63281, CSCui51521, CVE-2013-5536, VIGILANCE-VUL-13637.

Description of the vulnerability

An attacker can send floods of packets to Cisco Secure ACS Distributed Deployment, which are not filtered by the firewall, and stop processes, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2013-5470

Cisco Secure ACS: denial of service via TACACS+

Synthesis of the vulnerability

An attacker can send malformed TCP packets to Cisco Secure ACS configured for TACACS+, in order to trigger a denial of service.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 04/09/2013.
Identifiers: BID-62145, CSCuh12488, CVE-2013-5470, VIGILANCE-VUL-13345.

Description of the vulnerability

An attacker can send malformed TCP packets to Cisco Secure ACS configured for TACACS+, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2013-3466

Cisco Secure ACS: command execution via EAP-FAST

Synthesis of the vulnerability

When Cisco Secure ACS is configured as a RADIUS server, an attacker can send an EAP-FAST packet with a special user name, in order to execute privileged commands.
Impacted products: Secure ACS.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 29/08/2013.
Identifiers: BID-62028, CERTA-2013-AVI-497, cisco-sa-20130828-acs, CSCui57636, CVE-2013-3466, VIGILANCE-VUL-13324.

Description of the vulnerability

The Cisco Secure Access Control Server for Windows product can be configured as a RADIUS and TACACS+ server.

The RADIUS service supports the EAP-FAST authentication. However, Cisco Secure ACS does not correctly filter user names, which are injected as commands.

When Cisco Secure ACS is configured as a RADIUS server, an attacker can therefore send an EAP-FAST packet with a special user name, in order to execute privileged commands.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2013-3428

Cisco Secure ACS: information disclosure via System Error

Synthesis of the vulnerability

An attacker can read error messages of Cisco Secure ACS, in order to obtain sensitive information.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: data reading.
Provenance: physical access.
Creation date: 15/07/2013.
Identifiers: BID-61174, CSCue65957, CVE-2013-3428, VIGILANCE-VUL-13123.

Description of the vulnerability

An attacker can read error messages of Cisco Secure ACS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-3424

Cisco Secure ACS: Cross Site Scripting of Admin/View

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in the Admin/View pages of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/07/2013.
Identifiers: BID-61175, CSCud75177, CVE-2013-3424, VIGILANCE-VUL-13122.

Description of the vulnerability

The Cisco Secure Access Control System product provides Admin/View web pages.

However, they do not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in the Admin/View pages of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2013-3423

Cisco Secure ACS: Cross Site Scripting of Web Interface

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in the web interface of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/07/2013.
Identifiers: BID-61173, CSCud75174, CVE-2013-3423, VIGILANCE-VUL-13121.

Description of the vulnerability

The Cisco Secure Access Control System product provides web pages.

However, they do not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in the web interface of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2013-3422

Cisco Secure ACS: Cross Site Scripting of System Administration

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in the System Administration page of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/07/2013.
Identifiers: BID-61172, CSCud75165, CVE-2013-3422, VIGILANCE-VUL-13120.

Description of the vulnerability

The Cisco Secure Access Control System product provides a System Administration page.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in the System Administration page of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2013-3421

Cisco Secure ACS: Cross Site Scripting of Help Index

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in the Help Index of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/07/2013.
Identifiers: BID-61171, CSCud75170, CVE-2013-3421, VIGILANCE-VUL-13119.

Description of the vulnerability

The Cisco Secure Access Control System product provides an Help Index.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in the Help Index of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2013-3380

Cisco Access Control Server: privilege escalation via Report View

Synthesis of the vulnerability

An attacker can access to Report View of Cisco Access Control Server, in order to escalate his privileges.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Creation date: 11/06/2013.
Identifiers: BID-60514, CSCue79279, CVE-2013-3380, VIGILANCE-VUL-12935.

Description of the vulnerability

An attacker can access to Report View of Cisco Access Control Server, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2013-1200

Cisco Secure ACS: session replay

Synthesis of the vulnerability

An attacker can capture the session identifier of Cisco Secure ACS, in order to reuse it to access to user's space.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 16/05/2013.
Identifiers: BID-59943, CSCud95787, CVE-2013-1200, VIGILANCE-VUL-12837.

Description of the vulnerability

The Cisco Secure Access Control System product provides an interface requiring an authentication.

When the user is authenticated he obtains a session identifier. However, this identifier can be reused by an attacker.

An attacker can therefore capture the session identifier of Cisco Secure ACS, in order to reuse it to access to user's space.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Cisco Secure Access Control System: