Information modification in Cisco Systems, Inc products - CVE-2016-6412
Published: September 23, 2016 / Updated: April 5, 2018
Vulnerability identifier: #VU647
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6412
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Cisco IOS
Cisco IOS XR
Cisco IOS XE
Cisco IOS
Cisco IOS XR
Detailed vulnerability description
The vulnerabiity allows a remote user to modify user's information on the target system.
The weakness exists due to input validation flaw in the Cisco Application-hosting Framework (CAF) component. By insertion specially crafted HTTP headers into the communications path between the user and the target IOS system attackers can download an arbitrary file.
Successful exploitation of the vulnerability may result in modification of target user's data.
The weakness exists due to input validation flaw in the Cisco Application-hosting Framework (CAF) component. By insertion specially crafted HTTP headers into the communications path between the user and the target IOS system attackers can download an arbitrary file.
Successful exploitation of the vulnerability may result in modification of target user's data.
How to mitigate CVE-2016-6412
Install update from vendor's website.