XML External Entity Vulnerability in Cisco Prime Infrastructure and EPNM
CVE-2017-6662

8HIGH

Key Information:

Vendor
Cisco
Status
Cisco Prime Infrastructure And Evolved Programmable Network Manager
Vendor
CVE Published:
26 June 2017

Summary

A security vulnerability exists in the web-based user interface of Cisco Prime Infrastructure and Evolved Programmable Network Manager, which could enable an authenticated remote attacker to exploit improper handling of XML External Entity (XXE) entries. By persuading an administrator of the affected systems to import a specially crafted XML file, the attacker could gain read and write access to sensitive data and possibly execute arbitrary code within the application. This vulnerability is present in multiple versions of Cisco Prime Infrastructure and Cisco EPNM, making it critical for users to apply the necessary security patches to protect their systems.

Affected Version(s)

Cisco Prime Infrastructure and Evolved Programmable Network Manager Cisco Prime Infrastructure and Evolved Programmable Network Manager

References

https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1038750
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/99194
vdb-entryx_refsource_BID

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.