CVE-2021-1220Improper Input Validation in Cisco IOS XE Software

CWE-20Improper Input ValidationCWE-1220Insufficient Granularity of Access ControlCWE-311Missing Encryption of Sensitive DataCWE-319Cleartext Transmission of Sensitive Info9 documents8 sources
Severity
4.3MEDIUMNVD
CISA7.8
EPSS
0.2%
top 57.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 24
Latest updateMay 24

Description

Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient error handling in the web UI. An attacker could exploit these vulnerabilities by sending crafted HTTP packets to an affected device. A successful exploit could allow the attacker to ca

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDcisco/ios_xe35 versions+34

🔴Vulnerability Details

4
GHSA
GHSA-4m9r-j9f4-4m4g: Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the w2022-05-24
GHSA
Withdrawn Advisory: Insufficient Granularity of Access Control in JSDom2022-05-24
GHSA
Missing encryption in Apache Directory Studio2021-08-09
CVEList
Cisco IOS XE Software Web UI Denial of Service Vulnerabilities2021-03-24

💥Exploits & PoCs

1
Exploit-DB
MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting2021-03-11

📋Vendor Advisories

3
CISA
Microsoft Windows SAM Local Privilege Escalation Vulnerability2022-02-10
Red Hat
kernel: NVIDIA driver improper access control may lead to code execution2022-01-18
Cisco
Cisco IOS XE Software Web UI Denial of Service Vulnerabilities2021-03-24
CVE-2021-1220 — Improper Input Validation in Cisco | cvebase