Cisco Industrial Network Director vulnerabilities

CVE-2023-20036 [CRITICAL] CWE-78 CVE-2023-20036: A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. This vulnerability is due to improper input validation when uploading a Device Pack. An attacker could exploit this vulnerability by altering

CVE-2023-20039 [MEDIUM] CWE-552 CVE-2023-20039: A vulnerability in Cisco IND could allow an authenticated, local attacker to read application data. A vulnerability in Cisco IND could allow an authenticated, local attacker to read application data. This vulnerability is due to insufficient default file permissions that are applied to the application data directory. An attacker could exploit this vulnerability by accessing files in the application data directory. A successful exploit could allow

CVE-2023-20038 [HIGH] CWE-321 CVE-2023-20038: A vulnerability in the monitoring application of Cisco Industrial Network Director could allow an au A vulnerability in the monitoring application of Cisco Industrial Network Director could allow an authenticated, local attacker to access a static secret key used to store both local data and credentials for accessing remote systems. This vulnerability is due to a static key value stored in the application used to encrypt application data and remote c

CVE-2023-20037 [MEDIUM] CWE-79 CVE-2023-20037: A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker t A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks. The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the a

CVE-2020-3567 [MEDIUM] CWE-20 CVE-2020-3567: A vulnerability in the management REST API of Cisco Industrial Network Director (IND) could allow an A vulnerability in the management REST API of Cisco Industrial Network Director (IND) could allow an authenticated, remote attacker to cause the CPU utilization to increase to 100 percent, resulting in a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient validation of requests sent to the REST API. An atta

CVE-2019-15973 [MEDIUM] CWE-79 CVE-2019-15973: A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) cou A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected application. The vulnerability is due to insufficient validation of user-supplied input by the web-based manageme

CVE-2019-1976 [CRITICAL] CWE-200 CVE-2019-1976: A vulnerability in the “plug-and-play” services component of Cisco Industrial Network Di A vulnerability in the “plug-and-play” services component of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper access restrictions on the web-based management interface. An attacker could exploit this vulnerability by sen

CVE-2019-1940 [MEDIUM] CWE-310 CVE-2019-1940: A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Dire A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certificate validation when establishing a WSMA connection.

CVE-2019-1861 [HIGH] CWE-20 CVE-2019-1861: A vulnerability in the software update feature of Cisco Industrial Network Director could allow an a A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrato

CVE-2019-1881 [MEDIUM] CWE-352 CVE-2019-1881: A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) cou A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of t

CVE-2019-1882 [MEDIUM] CWE-79 CVE-2019-1882: A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker t A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks. The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the aff

CVE-2018-15392 [MEDIUM] CWE-399 CVE-2018-15392: A vulnerability in the DHCP service of Cisco Industrial Network Director could allow an unauthentica A vulnerability in the DHCP service of Cisco Industrial Network Director could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper handling of DHCP lease requests. An attacker could exploit this vulnerability by sending malicious DHCP lease requests to an affected application

CVE-2017-6675 [MEDIUM] CWE-79 CVE-2017-6675: A vulnerability in the web interface of Cisco Industrial Network Director could allow an unauthentic A vulnerability in the web interface of Cisco Industrial Network Director could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against an affected system. More Information: CSCvd25405. Known Affected Releases: 1.1(0.176).