Sign-up

ID

VAR-201607-0423


CVE

CVE-2016-1442


TITLE

Cisco Prime Infrastructure Management Web An arbitrary command execution vulnerability in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2016-003499

DESCRIPTION

The administrative web interface in Cisco Prime Infrastructure (PI) before 3.1.1 allows remote authenticated users to execute arbitrary commands via crafted field values, aka Bug ID CSCuy96280. Cisco Prime Infrastructure is prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. The issue is being tracked by Cisco Bug ID CSCuy96280. Cisco Prime Infrastructure versions 3.1.0 and prior are affected. The vulnerability is caused by the program not properly validating user input. A remote attacker could exploit this vulnerability to execute arbitrary commands on the affected system

Trust: 2.07

sources: NVD: CVE-2016-1442 // JVNDB: JVNDB-2016-003499 // BID: 91607 // VULHUB: VHN-90261 // VULMON: CVE-2016-1442

AFFECTED PRODUCTS

vendor:ciscomodel:prime infrastructurescope:eqversion:3.1

Trust: 1.3

vendor:ciscomodel:prime infrastructurescope:eqversion:3.0

Trust: 1.3

vendor:ciscomodel:prime infrastructurescope:ltversion:3.1.1

Trust: 0.8

vendor:ciscomodel:prime infrastructurescope:eqversion:3.0.0

Trust: 0.6

vendor:ciscomodel:prime infrastructurescope:eqversion:3.1.0

Trust: 0.6

vendor:ciscomodel:prime infrastructurescope:eqversion:3.0_base

Trust: 0.6

vendor:ciscomodel:prime infrastructurescope:eqversion:3.0.3

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:3.0.2

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:1.3

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:1.2

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:2.2

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:2.1.0

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:2.0.0

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:2.0

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:1.4.2

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:1.4.1

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:1.4.0

Trust: 0.3

vendor:ciscomodel:prime infrastructurescope:eqversion:1.2.1

Trust: 0.3

sources: BID: 91607 // JVNDB: JVNDB-2016-003499 // CNNVD: CNNVD-201607-036 // NVD: CVE-2016-1442

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1442
value: HIGH

Trust: 1.0

NVD: CVE-2016-1442
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201607-036
value: HIGH

Trust: 0.6

VULHUB: VHN-90261
value: HIGH

Trust: 0.1

VULMON: CVE-2016-1442
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-1442
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-90261
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1442
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-90261 // VULMON: CVE-2016-1442 // JVNDB: JVNDB-2016-003499 // CNNVD: CNNVD-201607-036 // NVD: CVE-2016-1442

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-90261 // JVNDB: JVNDB-2016-003499 // NVD: CVE-2016-1442

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-036

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 91607 // CNNVD: CNNVD-201607-036

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-003499

PATCH
title:cisco-sa-20160706-piurl:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160706-pi
Trust: 0.8
title:Cisco Prime Infrastructure HTML Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62628
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-003499 // 
            
            
            
            CNNVD: CNNVD-201607-036

EXTERNAL IDS
db:NVDid:CVE-2016-1442
Trust: 2.9
db:SECTRACKid:1036238
Trust: 1.8
db:JVNDBid:JVNDB-2016-003499
Trust: 0.8
db:CNNVDid:CNNVD-201607-036
Trust: 0.7
db:BIDid:91607
Trust: 0.5
db:VULHUBid:VHN-90261
Trust: 0.1
db:VULMONid:CVE-2016-1442
Trust: 0.1
sources:
            
            
            VULHUB: VHN-90261 // 
            
            
            
            VULMON: CVE-2016-1442 // 
            
            
            
            BID: 91607 // 
            
            
            
            JVNDB: JVNDB-2016-003499 // 
            
            
            
            CNNVD: CNNVD-201607-036 // 
            
            
            
            NVD: CVE-2016-1442

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160706-pi
Trust: 1.8
url:http://www.securitytracker.com/id/1036238
Trust: 1.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1442
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1442
Trust: 0.8
url:http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-infrastructure/index.html
Trust: 0.3
url:tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160706-pi
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/20.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.securityfocus.com/bid/91607
Trust: 0.1
sources:
            
            
            VULHUB: VHN-90261 // 
            
            
            
            VULMON: CVE-2016-1442 // 
            
            
            
            BID: 91607 // 
            
            
            
            JVNDB: JVNDB-2016-003499 // 
            
            
            
            CNNVD: CNNVD-201607-036 // 
            
            
            
            NVD: CVE-2016-1442

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 91607

SOURCES
db:VULHUBid:VHN-90261
db:VULMONid:CVE-2016-1442
db:BIDid:91607
db:JVNDBid:JVNDB-2016-003499
db:CNNVDid:CNNVD-201607-036
db:NVDid:CVE-2016-1442

LAST UPDATE DATE
2024-11-23T22:38:44.034000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-90261date:2019-07-29T00:00:00
db:VULMONid:CVE-2016-1442date:2019-07-29T00:00:00
db:BIDid:91607date:2016-07-06T00:00:00
db:JVNDBid:JVNDB-2016-003499date:2016-07-12T00:00:00
db:CNNVDid:CNNVD-201607-036date:2019-07-30T00:00:00
db:NVDid:CVE-2016-1442date:2024-11-21T02:46:27.110

SOURCES RELEASE DATE
db:VULHUBid:VHN-90261date:2016-07-07T00:00:00
db:VULMONid:CVE-2016-1442date:2016-07-07T00:00:00
db:BIDid:91607date:2016-07-06T00:00:00
db:JVNDBid:JVNDB-2016-003499date:2016-07-12T00:00:00
db:CNNVDid:CNNVD-201607-036date:2016-07-07T00:00:00
db:NVDid:CVE-2016-1442date:2016-07-07T14:59:03.063