CVE-2016-1297 — OS Command Injection in Cisco Application Control Engine Software

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 30.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Application Control Engine Software

Timeline

PublishedFeb 26

Latest updateMay 17

Description

The Device Manager GUI in Cisco Application Control Engine (ACE) 4710 A5 before A5(3.1) allows remote authenticated users to bypass intended RBAC restrictions and execute arbitrary CLI commands with admin privileges via an unspecified parameter in a POST request, aka Bug ID CSCul84801.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDcisco/application_control_engine_software7 versions+6

🔴Vulnerability Details

GHSA

GHSA-4x6r-cv3m-8ffm: The Device Manager GUI in Cisco Application Control Engine (ACE) 4710 A5 before A5(3↗2022-05-17

▶

CVEList

CVE-2016-1297: The Device Manager GUI in Cisco Application Control Engine (ACE) 4710 A5 before A5(3↗2016-02-26

▶

📋Vendor Advisories

Cisco

Cisco ACE 4710 Application Control Engine Command Injection Vulnerability↗2016-02-24

▶