Main Vulnerability Database Vulnerabilities #VU54607

Missing XML Validation in Cisco AsyncOS for Web Security Appliances - CVE-2021-1359

Published: July 8, 2021

Vulnerability identifier: #VU54607

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-1359

CWE-ID: CWE-112

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cisco AsyncOS for Web Security Appliances

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied XML input for the web interface. A remote authenticated attacker can upload specially crafted XML configuration files to execute arbitrary commands on the underlying operating system and elevate privileges to root.

Remediation

Install updates from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-scr-web-priv-esc-k3HCGJZ

Missing XML Validation in Cisco AsyncOS for Web Security Appliances - CVE-2021-1359

Description

Remediation

External links

Please verify you're human