—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Cisco Security Advisory: Cisco Prime Infrastructure and Evolved Programmable Network Manager XML Injection Vulnerability
Advisory ID: cisco-sa-20170621-piepnm1
Revision: 1.0
For Public Release: 2017 June 21 16:00 GMT
Last Updated: 2017 June 21 16:00 GMT
CVE ID(s): CVE-2017-6662
CVSS Score v(3): 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+———————————————————————
Summary
=======
A vulnerability in the web-based user interface of Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker read and write access to information stored in the affected system as well as perform remote code execution. The attacker must have valid user credentials.
The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file with malicious entries which could allow the attacker to read and write files and execute remote code within the application.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1 [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm1”]
—–BEGIN PGP SIGNATURE—–
iQKBBAEBAgBrBQJZSprDZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx
NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHnzLxAAwXt5CUYanrRJF5uH
43oXsyV9pAuV/dgG0ebViFS7q4ozUWdncFMlSaMAZ4PJDzPKmCjzIHrzHjS4FW/q
3xsaqVkA/8kJtgfqjvpR7bvJZHIOPHYJgYsdl1J61c0cUVpiKyHhPo50Fi8yOOd3
jx85tDqlXXPIve7YIk53hcBk/W2/QZPQqQVGgZG1wQ5YfyhtXyZ1dP0Ylz1GDOU0
viIurjVuiyO8oGcHG56LIRxUdUS+UPW838S30RXwv+WE5oeB46nj+B4ceR8KANEz
+rMs9LD8xbdKfk/TUfp3OFm3Gcaf8xfY7IKi++1AwryeAShBXT9l93/LUFfBTxNy
8ZQTMQXJqVHUmF7w9yMlVydrcHHDDI3shLMSADdTJoB4YJgzlGorzEPdmaxL6YRz
N4E/0L02upbDIgJG6qMUVrzPrWFGvrQpSAgdKjenJcXsbSkZzLLWiw8kTBBfiu+Y
rv5AA6uRnjwblVIzVA6E8QgpPehgjpiDlUX3WYcNu0hcttFfi5KBHRnXP4B0Rn8p
sFhvVLMLVy1u0lJqc/WalKYTOA2430GF0rY9vT/SejM44DdriSCGIzE3/heI8e0A
DVWU34cTpEO1V+qLsgqx/0IYuCxcw2z1CniC8GjbwsyU73wbinO4MJloOJeKMlbq
jQlHClcgPPDJXq3Kv+N57HqENXg=
=2Fpm
—–END PGP SIGNATURE—–
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com