#VU15408 Path traversal in Cisco Wireless LAN Controller - CVE-2018-0420
Published: October 18, 2018 / Updated: October 18, 2018
Vulnerability identifier: #VU15408
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0420
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco Wireless LAN Controller
Cisco Wireless LAN Controller
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The weakness exists in the web-based interface of Cisco Wireless LAN Controller Software due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames and pathnames. A remote attacker can use directory traversal techniques to submit a path to a desired file location and view system files on the targeted device, which may contain sensitive information.
Remediation
The vulnerability has been addressed in the versions 8.7(102.0), 8.7(1.11), 8.6(101.0), 8.6(1.98), 8.5(110.0), 8.5(107.54), 8.3(140.0), 8.3(134.89), 8.2(170.0), 8.2(167.208), 8.2(167.8).