Headline
CVE-2021-1249: Cisco Security Advisory: Cisco Data Center Network Manager Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow a remote attacker with network-operator privileges to conduct a cross-site scripting (XSS) attack or a reflected file download (RFD) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory.
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.
Details about the vulnerabilities are as follows.
CVE-2021-1249: Cisco DCNM Cross-Site Scripting Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco DCNM could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface.
These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Bug ID(s): CSCvv00645, CSCvu50101, CSCvu49711, CSCvu68933
CVE ID: CVE-2021-1249
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:LCVE-2021-1286: Cisco DCNM Reflected File Download Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco DCNM could allow an unauthenticated, remote attacker to conduct an RFD attack against a user of the interface of an affected device.
These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit these vulnerabilities by persuading an authenticated user of the interface to click a link that submits malicious input to the interface. A successful exploit could allow the attacker to execute arbitrary script code on the affected device.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Bug ID(s): CSCvv87608, CSCvv87589, CSCvv87602
CVE ID: CVE-2021-1286
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.1
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:NCVE-2021-1250: Cisco DCNM Cross-Site Scripting Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco DCNM could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface.
These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Bug ID(s): CSCvv00642, CSCvv87614, CSCvv00638, CSCvv00644, CSCvv00654, CSCvv00643
CVE ID: CVE-2021-1250
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:LCVE-2021-1253: Cisco DCNM Persistent Cross-Site Scripting Vulnerabilities
Multiple vulnerabilities in the web-based management interface of Cisco DCNM could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface.
These vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Bug ID(s): CSCvv07930, CSCvv00646
CVE ID: CVE-2021-1253
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L