Request a Demo
Rewterz
Rewterz Threat Advisory – CVE-2021-41167 – Node.js modern-async module
October 22, 2021
Rewterz
Rewterz Threat Advisory – Multiple Apache Vulnerabilities
October 22, 2021

Rewterz Threat Advisory – Multiple Cisco Products Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2021-34760 

Cisco TelePresence Management Suite is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web-based management interface. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2021-34738 

Cisco Identity Services Engine is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by web-based management interface. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2021-40121 

Cisco Identity Services Engine is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by web-based management interface. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2021-1529 

Cisco IOS XE SD-WAN Software could allow a local authenticated attacker to execute arbitrary commands on the system, caused by improper input validation by the system CLI. By sending specially-crafted input to the system CLI, an attacker could exploit this vulnerability to execute arbitrary commands on the underlying operating system with root privileges.

CVE-2021-34743 

Cisco Webex Software Application is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to read data from that user’s profile. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

Impact

  • Cross-Site Scripting
  • Command Execution
  • Security Bypass

Affected Vendors

Cisco

Affected Products

  • Cisco TelePresence Management Suite (TMS)
  • Cisco Identity Services Engine 2.6
  • Cisco Identity Services Engine 2.7
  • Cisco Identity Services Engine 3.0
  • Cisco IOS XE Software Cisco Cloud Services Router (CSR) 1000V Series
  • Cisco IOS XE SD-WAN Software
  • Cisco 1000 Series Integrated Services Routers (ISRs)
  • Cisco 4000 Series ISRs
  • Cisco ASR 1000 Series Aggregation Services Routers
  • Cisco Catalyst 8000 Series Edge Platforms
  • Cisco Webex Software

Remediation

Refer to Cisco Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2021-34760

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tms-xss-CwjZJSQc

CVE-2021-34738

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss1-rgxYry2V

CVE-2021-40121

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-rhpbE34A

CVE-2021-1529

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-rhpbE34A

CVE-2021-34743

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-2FmKd7T