CVE-2022-20851Command Injection in Cisco IOS XE Software

CWE-77Command InjectionCWE-78OS Command Injection4 documents4 sources
Severity
7.2HIGHNVD
CNA5.5
EPSS
0.2%
top 58.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedSep 30
Latest updateOct 1

Description

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI API. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. To exploit this vulnerability, an attacker must ha

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe17.6.1

🔴Vulnerability Details

2
GHSA
GHSA-cqv7-6595-m97v: A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an2022-10-01
CVEList
Cisco IOS XE Software Web UI Command Injection Vulnerability2022-09-30

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Web UI Command Injection Vulnerability2022-09-28
CVE-2022-20851 — Command Injection in Cisco | cvebase