A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch. Cisco Security Manager is an end-to-end security management application for enterprise administrators, which gives them the ability to enforce various security policies, troubleshoot security events and manage a wide range of devices. The application has a vulnerability that could allow remote, unauthenticated attackers to access sensitive data on affected systems. The flaw (CVE-2020-27130) has a CVSS score of 9.1 out of 10, making it critical. “An attacker could exploit this vulnerability by sending a crafted request to the affected device,” according to Cisco, in a Tuesday analysis. “A successful exploit could allow the attacker to download arbitrary files from the affected device.” According to Cisco, the flaw stems from the improper validation of directory traversal character sequences within requests to an affected device. A path-traversal attack aims to access files and directories that are stored outside the web root folder. If an attacker manipulates variables referencing files (with “dot-dot-slash (../)” sequences), it is possible to access arbitrary files and directories stored on file system, such as application source code, or configuration and critical system files. PoC exploits for the flaw – as well as 11 other issues in Cisco Security Manager – were published online Monday by security researcher Florian Hauser. Hauser…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-11-17 10:17:002020-11-17 10:17:00Cisco Patches Critical Flaw After PoC Exploit Code Release
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com