Cisco Secure Access Control System vulnerabilities

15 known vulnerabilities affecting cisco/secure_access_control_system.

Total CVEs

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL5HIGH1MEDIUM9

Vulnerabilities

Page 1 of 1

CVE-2018-0253CRITICALCVSS 9.8fixed in 5.8v5.8+1 more2018-05-02

CVE-2018-0253 [CRITICAL] CWE-20 CVE-2018-0253: A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level. The vulnerability is due to insufficient validation of the Action Message Fo

nvd

CVE-2018-0147CRITICALCVSS 9.8KEVv5.2\(0.3\)2018-03-08

CVE-2018-0147 [CRITICAL] CWE-20 CVE-2018-0147: A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to re A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit thi

nvd

CVE-2017-12354MEDIUMCVSS 5.3v5.8\(0.32\)2017-11-30

CVE-2017-12354 [MEDIUM] CWE-200 CVE-2017-12354: A vulnerability in the web-based interface of Cisco Secure Access Control System (ACS) could allow a A vulnerability in the web-based interface of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to view sensitive information on an affected system. The vulnerability exists because the affected software does not sufficiently protect system software version information when the software responds to HTTP request

nvd

CVE-2017-6769MEDIUMCVSS 5.4v5.8\(0.8\)v5.8\(1.5\)2017-08-07

CVE-2017-6769 [MEDIUM] CWE-79 CVE-2017-6769: A vulnerability in the web-based management interface of the Cisco Secure Access Control System (ACS A vulnerability in the web-based management interface of the Cisco Secure Access Control System (ACS) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected system. More Information: CSCve70587. Known Affected Releases: 5.8(0.8) 5.8(1.5).

nvd

CVE-2017-3841HIGHCVSS 7.5v5.8\(2.5\)2017-02-22

CVE-2017-3841 [HIGH] CWE-200 CVE-2017-3841: A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information. More Information: CSCvc04854. Known Affected Releases: 5.8(2.5).

nvd

CVE-2017-3839MEDIUMCVSS 4.3v5.8\(2.5\)2017-02-22

CVE-2017-3839 [MEDIUM] CWE-611 CVE-2017-3839: An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Cont An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5).

nvd

CVE-2017-3840MEDIUMCVSS 6.1v5.8\(2.5\)2017-02-22

CVE-2017-3840 [MEDIUM] CWE-601 CVE-2017-3840: A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page, aka an Open Redirect Vulnerability. More Information: CSCvc04849. Known Affected Releases: 5.8(2.5).

nvd

CVE-2017-3838MEDIUMCVSS 6.1v5.8\(2.5\)2017-02-22

CVE-2017-3838 [MEDIUM] CWE-79 CVE-2017-3838: A vulnerability in Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote a A vulnerability in Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to conduct a DOM-based cross-site scripting (XSS) attack against the user of the web interface of the affected system. More Information: CSCvc04838. Known Affected Releases: 5.8(2.5).

nvd

CVE-2015-4219MEDIUMCVSS 4.0≤ 5.4.0.46.1v5.3.0.40.52015-06-24

CVE-2015-4219 [MEDIUM] CWE-200 CVE-2015-4219: Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Se Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331.

nvd

CVE-2015-0728MEDIUMCVSS 4.3v5.5\(0.1\)2015-05-15

CVE-2015-0728 [MEDIUM] CWE-79 CVE-2015-0728: Cross-site scripting (XSS) vulnerability in Cisco Access Control Server (ACS) 5.5(0.1) allows remote Cross-site scripting (XSS) vulnerability in Cisco Access Control Server (ACS) 5.5(0.1) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuu11002.

nvd

CVE-2015-0580MEDIUMCVSS 6.5≤ 5.5.0.462015-02-12

CVE-2015-0580 [MEDIUM] CWE-89 CVE-2015-0580: Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Acc Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System (ACS) before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027.

nvd

CVE-2014-0648CRITICALCVSS 10.0≤ 5.4.0.46.6v5.1+24 more2014-01-16

CVE-2014-0648 [CRITICAL] CWE-264 CVE-2014-0648: The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enfor The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authorization requirements, which allows remote attackers to obtain administrative access via a request to this interface, aka Bug ID CSCud75187.

nvd

CVE-2014-0650CRITICALCVSS 10.0≤ 5.4.0.46.2v5.1+20 more2014-01-16

CVE-2014-0650 [CRITICAL] CWE-20 CVE-2014-0650: The web interface in Cisco Secure Access Control System (ACS) 5.x before 5.4 Patch 3 allows remote a The web interface in Cisco Secure Access Control System (ACS) 5.x before 5.4 Patch 3 allows remote attackers to execute arbitrary operating-system commands via a request to this interface, aka Bug ID CSCue65962.

nvd

CVE-2014-0649CRITICALCVSS 9.0≤ 5.4.0.46.6v5.1+24 more2014-01-16

CVE-2014-0649 [CRITICAL] CWE-264 CVE-2014-0649: The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enfor The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authorization requirements, which allows remote authenticated users to obtain superadmin access via a request to this interface, aka Bug ID CSCud75180.

nvd

CVE-2011-0951MEDIUMCVSS 5.0v5.1v5.1.0.44+9 more2011-04-04

CVE-2011-0951 [MEDIUM] CWE-255 CVE-2011-0951: The web-based management interface in Cisco Secure Access Control System (ACS) 5.1 before 5.1.0.44.6 The web-based management interface in Cisco Secure Access Control System (ACS) 5.1 before 5.1.0.44.6 and 5.2 before 5.2.0.26.3 allows remote attackers to change arbitrary user passwords via unspecified vectors, aka Bug ID CSCtl77440.

nvd