CVE-2019-12672Link Following in Cisco IOS XE Software 3.11.1s

CWE-59Link Following4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.0%
top 88.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE Software 3.11.1sCisco IOS
Timeline
PublishedSep 25
Latest updateMay 24

Description

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges. The vulnerability is due to insufficient file location validation. An attacker could exploit this vulnerability by placing code in a specific format on a USB device and inserting it into an affected Cisco device. A successful exploit could allow the attacker to exe

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_software_3.11.1sunspecifiedn/a
NVDcisco/ios16.9.1

🔴Vulnerability Details

2
GHSA
GHSA-chch-v8xx-wcp7: A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to2022-05-24
CVEList
Cisco IOS XE Software Arbitrary Code Execution Vulnerability2019-09-25

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Arbitrary Code Execution Vulnerability2019-09-25
CVE-2019-12672 — Link Following in Cisco | cvebase