cbcvebase.
CVE-2013-5486
published 2013-09-23

CVE-2013-5486: Directory traversal vulnerability in processImageSave.jsp in DCNM-SAN Server in Cisco Prime Data Center Network Manager (DCNM) before 6.2(1) allows remote…

PriorityP179critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.96%
99.5th percentile
Directory traversal vulnerability in processImageSave.jsp in DCNM-SAN Server in Cisco Prime Data Center Network Manager (DCNM) before 6.2(1) allows remote attackers to write arbitrary files via the chartid parameter, aka Bug IDs CSCue77035 and CSCue77036. NOTE: this can be leveraged to execute arbitrary commands by using the JBoss autodeploy functionality.

Affected

20 ranges
VendorProductVersion rangeFixed in
ciscoprime_data_center_network_manager<= 6.1\(1b\)
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager

Detection & IOCsextracted from sources · hover to see the quote

path/cues_utility/charts/processImageSave.jsp
filenameprocessImageSave.jsp
commandPOST /cues_utility/charts/processImageSave.jsp mode=save&savefile=true&chartid=<traversal>/<filename>%00&data=<base64>
path../../../../../deploy
path../../jboss-4.2.2.GA/server/fm/deploy
pathC:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\tmp\deploy\tmp3409372432509144123dcm-exp.war\cues_utility\charts
pathC:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\deploy
  • Detect POST requests to processImageSave.jsp with directory traversal sequences in the 'chartid' parameter, especially those containing null byte (%00) injection.
  • Monitor for WAR file drops in the JBoss autodeploy directory (jboss-4.2.2.GA/server/fm/deploy) as a sign of successful exploitation leading to RCE.
  • Alert on HTTP 200 responses from processImageSave.jsp containing the string 'success' following a POST with traversal in chartid, indicating a successful file upload.
  • Look for unauthenticated POST requests to /cues_utility/charts/processImageSave.jsp with POST parameters mode=save and savefile=true as exploitation indicators.
  • Detect subsequent GET requests to randomly named application paths following a WAR upload, which indicate JBoss autodeploy payload triggering.
  • ·The exploit has been confirmed against Cisco Prime DCNM 6.1(2) on Windows 2008 R2 (64-bit); the traversal depth (../../../../../deploy) is specific to this version and OS path layout.
  • ·The vulnerability is fixed in Cisco Prime DCNM 6.2(1) and later; detection rules should focus on versions prior to 6.2(1).
  • ·Multiple distinct bug IDs are associated with this CVE (CSCue77035, CSCue77036), indicating the vulnerability may manifest in more than one component of DCNM.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.