CVE-2016-1406

CWE-284 — Improper Access Control CWE-2644 documents4 sources

Severity

8.8HIGH

EPSS

0.3%

top 46.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Evolved Programmable Network Manager Cisco Prime Infrastructure

Timeline

PublishedMay 25

Latest updateMay 14

Description

The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2.4 allows remote authenticated users to bypass intended RBAC restrictions and obtain sensitive information, and consequently gain privileges, via crafted JSON data, aka Bug ID CSCuy12409.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDcisco/evolved_programmable_network_manager4 versions+3

▶NVDcisco/prime_infrastructure14 versions+13

🔴Vulnerability Details

GHSA

GHSA-h7gf-vcf5-w2p6: The API web interface in Cisco Prime Infrastructure before 3↗2022-05-14

▶

CVEList

CVE-2016-1406: The API web interface in Cisco Prime Infrastructure before 3↗2016-05-25

▶

📋Vendor Advisories

Cisco

Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager JSON Privilege Escalation Vulnerability↗2016-05-23

▶