CVE-2017-12230Incorrect Default Permissions in Cisco IOS XE

CWE-264CWE-276Incorrect Default Permissions4 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.8%
top 26.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE
Timeline
PublishedSep 29
Latest updateMay 13

Description

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE 16.2 could allow an authenticated, remote attacker to elevate their privileges on an affected device. The vulnerability is due to incorrect default permission settings for new users who are created by using the web UI of the affected software. An attacker could exploit this vulnerability by using the web UI of the affected software to create a new user and then logging into the web UI as the newly created user. A successful

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDcisco/ios_xe16.2.1

🔴Vulnerability Details

2
GHSA
GHSA-xg78-wwf5-gc23: A vulnerability in the web-based user interface (web UI) of Cisco IOS XE 162022-05-13
CVEList
CVE-2017-12230: A vulnerability in the web-based user interface (web UI) of Cisco IOS XE 162017-09-28

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability2017-09-27
CVE-2017-12230 — Incorrect Default Permissions in Cisco | cvebase