Cisco Ios Xe Software vulnerabilities

CVE-2021-1431 [HIGH] CWE-20 CVE-2021-1431: A vulnerability in the vDaemon process of Cisco IOS XE SD-WAN Software could allow an unauthenticate A vulnerability in the vDaemon process of Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a device to reload, resulting a denial of service (DoS) condition. This vulnerability is due to insufficient handling of malformed packets. An attacker could exploit this vulnerability by sending crafted traffic to an affected d

CVE-2021-1403 [HIGH] CWE-345 CVE-2021-1403: A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remot A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient HTTP protections in the web UI on an affected device. An attacker could ex

CVE-2021-1446 [HIGH] CWE-754 CVE-2021-1446: A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Tra A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a logic error that occurs when an affected device inspects certain DNS packets. An attacker could ex

CVE-2021-1433 [HIGH] CWE-119 CVE-2021-1433: A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticate A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device. This vulnerability is due to insufficient bounds checking when the device processes traffic. An attacker could exploit this vulnerability by sending crafted traffic to the device. The at

CVE-2021-1442 [HIGH] CWE-532 CVE-2021-1442: A vulnerability in a diagnostic command for the Plug-and-Play (PnP) subsystem of Cisco IOS XE Softwa A vulnerability in a diagnostic command for the Plug-and-Play (PnP) subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator user (level 15) on an affected device. The vulnerability is due to insufficient protection of sensitive information. An attacker with low privileges cou

CVE-2021-1435 [HIGH] CWE-22 CVE-2021-1435: A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that can be executed as the root user. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to the web UI of an affected device with arbitrary co

CVE-2021-1443 [HIGH] CWE-77 CVE-2021-1443: A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system of an affected device. The vulnerability exists because the affected software improperly sanitizes values that are parsed from a specific configuration file. An attacker cou

CVE-2021-1384 [HIGH] CWE-77 CVE-2021-1384: A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands into the underlying operating system as the root user. This vulnerability is due to incomplete validation of fields in the application packages loaded onto IOx. An attacker could exploit this vulnerability

CVE-2021-1373 [HIGH] CWE-126 CVE-2021-1373: A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processi A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Wireless Controller Software for the Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of an affected device. The vulnerability is due to insuffi

CVE-2021-1220 [MEDIUM] CWE-20 CVE-2021-1220: Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient error handling in the web UI. An attac

CVE-2021-1352 [MEDIUM] CWE-823 CVE-2021-1352: A vulnerability in the DECnet Phase IV and DECnet/OSI protocol processing of Cisco IOS XE Software c A vulnerability in the DECnet Phase IV and DECnet/OSI protocol processing of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient input validation of DECnet traffic that is received by an affected device. An attacker could ex

CVE-2021-1356 [MEDIUM] CWE-20 CVE-2021-1356: Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient error handling in the web UI. An attac

CVE-2021-1371 [MEDIUM] CWE-269 CVE-2021-1371: A vulnerability in the role-based access control of Cisco IOS XE SD-WAN Software could allow an auth A vulnerability in the role-based access control of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker with read-only privileges to obtain administrative privileges by using the console port when the device is in the default SD-WAN configuration. This vulnerability occurs because the default configuration is applied for console

CVE-2021-1376 [MEDIUM] CWE-347 CVE-2021-1376: Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Cataly Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Catalyst 3850, Cisco Catalyst 9300, and Cisco Catalyst 9300L Series Switches could allow an authenticated, local attacker to either execute arbitrary code on the underlying operating system, install and boot a malicious software image, or execute unsigned bin

CVE-2021-1398 [MEDIUM] CWE-489 CVE-2021-1398: A vulnerability in the boot logic of Cisco IOS XE Software could allow an authenticated, local attac A vulnerability in the boot logic of Cisco IOS XE Software could allow an authenticated, local attacker with level 15 privileges or an unauthenticated attacker with physical access to execute arbitrary code on the underlying Linux operating system of an affected device. This vulnerability is due to incorrect validations of specific function arguments

CVE-2021-1375 [MEDIUM] CWE-347 CVE-2021-1375: Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Cataly Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Catalyst 3850, Cisco Catalyst 9300, and Cisco Catalyst 9300L Series Switches could allow an authenticated, local attacker to either execute arbitrary code on the underlying operating system, install and boot a malicious software image, or execute unsigned bin

CVE-2021-1453 [MEDIUM] CWE-347 CVE-2021-1453: A vulnerability in the software image verification functionality of Cisco IOS XE Software for the Ci A vulnerability in the software image verification functionality of Cisco IOS XE Software for the Cisco Catalyst 9000 Family of switches could allow an unauthenticated, physical attacker to execute unsigned code at system boot time. The vulnerability is due to an improper check in the code function that manages the verification of the digital signatur

CVE-2021-1436 [MEDIUM] CWE-22 CVE-2021-1436: A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attac A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request

CVE-2021-1390 [MEDIUM] CWE-123 CVE-2021-1390: A vulnerability in one of the diagnostic test CLI commands of Cisco IOS XE Software could allow an a A vulnerability in one of the diagnostic test CLI commands of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker would need to have valid user credentials at privilege level 15. This vulnerability exists because the affected software permits mo

CVE-2021-1383 [MEDIUM] CWE-20 CVE-2021-1383: Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, lo Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system with root privileges. These vulnerabilities are due to insufficient input validation of certain CLI commands. An attacker could exploit these vulnerabilities by authenticating to the device and submi