CVE-2024-20536

CWE-89 — SQL Injection4 documents4 sources

Severity

8.8HIGH

EPSS

1.3%

top 20.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Cisco Data Center Network Manager Cisco Nexus Dashboard Fabric Controller

Timeline

PublishedNov 6

Description

A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to a specific REST API endpoint or web-based management interface. A successful exploit could a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDcisco/nexus_dashboard_fabric_controller12.1.2, 12.1.3+1

▶CVEListV5cisco/cisco_data_center_network_manager12.1.2e, 12.1.2p, 12.1.3b+2

🔴Vulnerability Details

CVEList

Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability↗2024-11-06

▶

GHSA

GHSA-5w27-pxmv-rgxx: A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticat↗2024-11-06

▶

📋Vendor Advisories

Cisco

Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability↗2024-11-06

▶