Cisco SD-WAN vManage Software Vulnerability: Authenticated Attackers Can Access Sensitive Information
CVE-2020-26066

6.5MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Catalyst Sd-wan Manager
Vendor
CVE Published:
18 November 2024

Summary

A vulnerability identified in the web UI of Cisco SD-WAN vManage Software allows an authenticated remote attacker to gain unauthorized read and write access to sensitive information stored on the affected system. This issue arises from the improper handling of XML External Entity (XXE) entries when certain XML files are parsed. An attacker could exploit this flaw by convincing a user to import a specially crafted XML file containing malicious inputs. If successful, the attacker could manipulate files within the application, risking the integrity and confidentiality of the stored data. Cisco has released updates to rectify this vulnerability, but no workarounds are available to mitigate the risk.

Affected Version(s)

Cisco Catalyst SD-WAN Manager 20.1.12

Cisco Catalyst SD-WAN Manager 19.2.1

Cisco Catalyst SD-WAN Manager 18.4.4

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.