The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco Secure Access Control System

computer vulnerability note CVE-2014-0668

Cisco Secure ACS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/01/2014.
Identifiers: BID-65016, CSCue65949, CVE-2014-0668, VIGILANCE-VUL-14109.

Description of the vulnerability

The Cisco Secure ACS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-0667

Cisco Secure ACS: information disclosure via RMI

Synthesis of the vulnerability

An authenticated attacker can use the RMI interface of Cisco Secure ACS, to read arbitrary files, in order to obtain sensitive information.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 16/01/2014.
Identifiers: BID-64983, CSCud75169, CVE-2014-0667, VIGILANCE-VUL-14103.

Description of the vulnerability

An authenticated attacker can use the RMI interface of Cisco Secure ACS, to read arbitrary files, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-0648 CVE-2014-0649 CVE-2014-0650

Cisco Secure Access Control System: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Cisco Secure Access Control System.
Impacted products: Secure ACS.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 15/01/2014.
Identifiers: BID-64958, BID-64962, BID-64964, CERTA-2014-AVI-035, cisco-sa-20140115-csacs, CSCud75180, CSCud75187, CSCue65962, CVE-2014-0648, CVE-2014-0649, CVE-2014-0650, VIGILANCE-VUL-14096.

Description of the vulnerability

Several vulnerabilities were announced in Cisco Secure Access Control System.

An authenticated attacker can use the RMI interface, in order to escalate his privileges. [severity:3/4; BID-64958, CSCud75180, CVE-2014-0649]

An unauthenticated attacker can use the RMI interface, in order to execute code. [severity:3/4; BID-64962, CSCud75187, CVE-2014-0648]

An attacker can inject commands in the web interface, in order to execute code. [severity:3/4; BID-64964, CSCue65962, CVE-2014-0650]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-0663

Cisco Secure ACS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/01/2014.
Identifiers: BID-64773, CSCum03625, CVE-2014-0663, VIGILANCE-VUL-14053.

Description of the vulnerability

The Cisco Secure ACS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2013-6974

Cisco Secure ACS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/01/2014.
Identifiers: BID-64752, CSCud89431, CVE-2013-6974, VIGILANCE-VUL-14049.

Description of the vulnerability

The Cisco Secure ACS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2013-6695

Cisco Secure ACS: information disclosure via Support Bundle

Synthesis of the vulnerability

An authenticated attacker can download the Support Bundle of Cisco Secure ACS, in order to obtain sensitive information.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 02/12/2013.
Identifiers: BID-64049, CSCuj39274, CVE-2013-6695, VIGILANCE-VUL-13857.

Description of the vulnerability

An authenticated attacker can download the Support Bundle of Cisco Secure ACS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2013-5536

Cisco Secure ACS: denial of service via Distributed Deployment

Synthesis of the vulnerability

An attacker can send floods of packets to Cisco Secure ACS Distributed Deployment, which are not filtered by the firewall, and stop processes, in order to trigger a denial of service.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 23/10/2013.
Identifiers: BID-63281, CSCui51521, CVE-2013-5536, VIGILANCE-VUL-13637.

Description of the vulnerability

An attacker can send floods of packets to Cisco Secure ACS Distributed Deployment, which are not filtered by the firewall, and stop processes, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2013-5470

Cisco Secure ACS: denial of service via TACACS+

Synthesis of the vulnerability

An attacker can send malformed TCP packets to Cisco Secure ACS configured for TACACS+, in order to trigger a denial of service.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 04/09/2013.
Identifiers: BID-62145, CSCuh12488, CVE-2013-5470, VIGILANCE-VUL-13345.

Description of the vulnerability

An attacker can send malformed TCP packets to Cisco Secure ACS configured for TACACS+, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2013-3466

Cisco Secure ACS: command execution via EAP-FAST

Synthesis of the vulnerability

When Cisco Secure ACS is configured as a RADIUS server, an attacker can send an EAP-FAST packet with a special user name, in order to execute privileged commands.
Impacted products: Secure ACS.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 29/08/2013.
Identifiers: BID-62028, CERTA-2013-AVI-497, cisco-sa-20130828-acs, CSCui57636, CVE-2013-3466, VIGILANCE-VUL-13324.

Description of the vulnerability

The Cisco Secure Access Control Server for Windows product can be configured as a RADIUS and TACACS+ server.

The RADIUS service supports the EAP-FAST authentication. However, Cisco Secure ACS does not correctly filter user names, which are injected as commands.

When Cisco Secure ACS is configured as a RADIUS server, an attacker can therefore send an EAP-FAST packet with a special user name, in order to execute privileged commands.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2013-3428

Cisco Secure ACS: information disclosure via System Error

Synthesis of the vulnerability

An attacker can read error messages of Cisco Secure ACS, in order to obtain sensitive information.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: data reading.
Provenance: physical access.
Creation date: 15/07/2013.
Identifiers: BID-61174, CSCue65957, CVE-2013-3428, VIGILANCE-VUL-13123.

Description of the vulnerability

An attacker can read error messages of Cisco Secure ACS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Cisco Secure Access Control System: