CVE-2024-20356 — OS Command Injection in Cisco Unified Computing System

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.7HIGHNVD

EPSS

43.4%

top 2.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Unified Computing System Cisco Unified Computing System E-series Software

Timeline

PublishedApr 24

Description

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with Administrator-level privileges to perform command injection attacks on an affected system and elevate their privileges to root. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful expl…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:NExploitability: 2.3 | Impact: 5.8

Affected Packages2 packages

▶CVEListV5cisco/cisco_unified_computing_system_e-series_software36 versions+35

▶CVEListV5cisco/cisco_unified_computing_system119 versions+118

🔴Vulnerability Details

CVEList

CVE-2024-20356: A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker wi↗2024-04-24

▶

GHSA

GHSA-m2xm-r93v-mjrm: A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker wi↗2024-04-24

▶

📋Vendor Advisories

Cisco

Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability↗2024-04-17

▶