CVE-2022-20693 Injection vulnerability in the web UI of Cisco IOS XE Software could be exploited by an attacker with unauthorized access.

CVE-2022-20693 Injection vulnerability in the web UI of Cisco IOS XE Software could be exploited by an attacker with

unauthorized access.

Cisco IOS XE Software includes a web server that provides a web-based interface for configuration and monitoring of the device. This web server is accessible over the network by users of an affected device who are authenticated by a RADIUS server. In order to exploit this vulnerability, an attacker would have to have access to an authenticated network in which to launch the attack. Access controls such as authentication and authorization would have to be bypassed in order for an attacker to exploit this vulnerability. Cisco IOS XE Software includes web server features that allow users to view and modify the device’s configuration. These features are accessible over the network by users who are authenticated by a RADIUS server. An attacker would need to have access to an authenticated network in order to exploit this vulnerability. Access controls such as authentication and authorization would have to be bypassed in order for an attacker to exploit this vulnerability. Cisco IOS XE Software includes a web server that provides a web-based interface for configuration and monitoring of the device. This web server is accessible over the network by users of an affected device who are authenticated by a RADIUS server. In order to exploit this vulnerability, an attacker would have to have access to an authenticated network in which to launch the attack

How Does the Cisco IOS XE Software Web Server Vulnerability Help?

An attacker could exploit this vulnerability by uploading a malicious configuration file to the web server. If successful, the file would be executed and cause significant collateral effects that may result in a denial of service (DoS) condition.

Overview of the vulnerability

In order to exploit this vulnerability, an attacker would have to have access to an authenticated network in which to launch the attack. Access controls such as authentication and authorization would have to be bypassed in order for an attacker to exploit this vulnerability. Additionally, Cisco IOS XE Software includes web server features that allow users to view and modify the device’s configuration. These features are accessible over the network by users who are authenticated by a RADIUS server. An attacker would need to have access to an authenticated network in order to exploit this vulnerability. This vulnerability is related to CVE-2019-20693

Affected Software

Cisco IOS XE Software is affected by this vulnerability.

Vulnerable Packet Tracer

The vulnerability is an authentication bypass vulnerability, which would allow an attacker to gain unauthorized access to the vulnerable device. The vulnerability affects all software versions of Cisco IOS XE.
Vulnerable Packet Tracer

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe