#VU17199 Information disclosure in Cisco Mobility Services Engine
Vulnerability identifier: #VU17199
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Cisco Mobility Services Engine
Mobile applications /
Apps for mobile phones
Vendor: Cisco Systems, Inc
Description
The vulnerability allows an adjacent attacker to obtain potentially sensitive information.
The vulnerability exists due to a lack of input and validation checking mechanisms for certain GET requests to API's. An adjacent attacker can send HTTP GET requests obtain arbitrary data and use this information to conduct additional reconnaissance attacks.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Cisco Mobility Services Engine: 10.2.1.0
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-cmx-info-dis...
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
