nvd-json-data-feeds/CVE-2023/CVE-2023-202xx/CVE-2023-20273.json

{
  "id": "CVE-2023-20273",
  "sourceIdentifier": "ykramarz@cisco.com",
  "published": "2023-10-25T18:17:23.017",
  "lastModified": "2023-10-25T20:32:16.527",
  "vulnStatus": "Awaiting Analysis",
  "cisaExploitAdd": "2023-10-23",
  "cisaActionDue": "2023-10-27",
  "cisaRequiredAction": "Verify that instances of Cisco IOS XE Web UI are in compliance with BOD 23-02 and apply mitigations per vendor instructions. For affected products (Cisco IOS XE Web UI exposed to the internet or to untrusted networks), follow vendor instructions to determine if a system may have been compromised and immediately report positive findings to CISA.",
  "cisaVulnerabilityName": "Cisco IOS XE Web UI Command Injection Vulnerability",
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root.\r\n\r This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en la funci\u00f3n de interfaz de usuario web del software Cisco IOS XE podr\u00eda permitir que un atacante remoto autenticado inyecte comandos con privilegios de root. Esta vulnerabilidad se debe a una validaci\u00f3n de entrada insuficiente. Un atacante podr\u00eda aprovechar esta vulnerabilidad enviando datos manipulados a la interfaz de usuario web. Un exploit exitoso podr\u00eda permitir al atacante inyectar comandos al sistema operativo subyacente con privilegios de root."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "ykramarz@cisco.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "HIGH",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9
      }
    ]
  },
  "references": [
    {
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z",
      "source": "ykramarz@cisco.com"
    }
  ]
}