SB2021011407 - Multiple vulnerabilities in Cisco Connected Mobile Experiences

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-1144)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to incorrect handling of authorization checks for changing a password. A remote authenticated attacker can send a specially crafted HTTP request and alter the passwords of any user on the system, including an administrative user.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-1143)

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to a lack of authorization checks for certain API GET requests. A remote authenticated attacker can send specific API GET requests and enumerate users of the CMX system.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxapi-KsKwCmfp