CVE-2020-3223

Cisco IOS XE Software Web UI Arbitrary File Read Vulnerability

CVSS 4.5 MEDIUMEPSS 1.9%CWE-59

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.5EPSS 1.9%KEV nãoPoC —Patch referenciado

Lifecycle

03 Jun 2020Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to read arbitrary files on the underlying filesystem of the device. The vulnerability is due to insufficient file scope limiting. An attacker could exploit this vulnerability by creating a specific file reference on the filesystem and then accessing it through the web UI. An exploit could allow the attacker to read arbitrary files from the underlying operating system's filesystem.

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Affected products

Cisco · Cisco IOS XE Software 16.9.4

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-filerd-HngnDYGk