CVE-2020-3211Command Injection in Cisco IOS XE Software 16.10.1

CWE-77Command InjectionCWE-78OS Command Injection5 documents5 sources
Severity
7.2HIGHNVD
EPSS
1.2%
top 21.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE Software 16.10.1Cisco IOS XE
Timeline
PublishedJun 3
Latest updateOct 27

Description

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected device. The vulnerability is due to improper input sanitization. An attacker who has valid administrative access to an affected device could exploit this vulnerability by supplying a crafted input parameter on a form in the web UI and then submitting that form. A successful exploit could allow the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe16 versions+15

Patches

Patch: tools.cisco.comPatch: tools.cisco.com

🔴Vulnerability Details

2
GHSA
GHSA-px98-8qfg-fm83: A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary commands with root privilege2022-05-24
CVEList
Cisco IOS XE Software Web UI Command Injection Vulnerability2020-06-03

📋Vendor Advisories

2
CISA ICS
Rockwell Automation Stratix Devices Containing Cisco IOS2022-10-27
Cisco
Cisco IOS XE Software Web UI Command Injection Vulnerability2020-06-03
CVE-2020-3211 — Command Injection in Cisco | cvebase