#VU647 Information modification in Cisco Systems, Inc products - CVE-2016-6412
Published: September 23, 2016 / Updated: April 5, 2018
Vulnerability identifier: #VU647
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6412
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Cisco IOS
Cisco IOS XR
Cisco IOS XE
Cisco IOS
Cisco IOS XR
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerabiity allows a remote user to modify user's information on the target system.
The weakness exists due to input validation flaw in the Cisco Application-hosting Framework (CAF) component. By insertion specially crafted HTTP headers into the communications path between the user and the target IOS system attackers can download an arbitrary file.
Successful exploitation of the vulnerability may result in modification of target user's data.
The weakness exists due to input validation flaw in the Cisco Application-hosting Framework (CAF) component. By insertion specially crafted HTTP headers into the communications path between the user and the target IOS system attackers can download an arbitrary file.
Successful exploitation of the vulnerability may result in modification of target user's data.
Remediation
Install update from vendor's website.