CVE-2024-20477

CWE-862Missing AuthorizationCWE-285CWE-6934 documents4 sources
Severity
5.4MEDIUM
EPSS
0.5%
top 36.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cisco Nexus DashboardCisco Nexus Dashboard Fabric ControllerCisco Cisco Data Center Network Manager
Timeline
PublishedOct 2

Description

A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to upload or delete files on an affected device. This vulnerability exists because of missing authorization controls on the affected REST API endpoint. An attacker could exploit this vulnerability by sending crafted API requests to the affected endpoint. A successful exploit could allow the attacker to upload files into a specific container or delete files from a specific

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

NVDcisco/nexus_dashboard< 3.2\(1e\)
CVEListV5cisco/cisco_data_center_network_manager11 versions+10

🔴Vulnerability Details

2
CVEList
Cisco Nexus Dashboard Fabric Controller Unauthorized REST API Endpoint Vulnerability2024-10-02
GHSA
GHSA-m728-ff6j-xcqp: A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to upload or delete files2024-10-02

📋Vendor Advisories

1
Cisco
Cisco Nexus Dashboard and Nexus Dashboard Fabric Controller Unauthorized REST API Vulnerabilities2024-10-02
CVE-2024-20477 (MEDIUM CVSS 5.4) | A vulnerability in a specific REST | cvebase.io