Cisco ASA-CX and Cisco Prime Security Manager Privilege Escalation Vulnerability

cisco-sa-20160203-prsm · High · Published 10 years ago · Updated 10 years ago

Data: Cisco advisories 1 day ago · Cisco CSAF 4 hours ago · NVD CVEs 7 hours ago · NVD CPEs 1 day ago · CISA KEV 1 day ago · EPSS 1 day ago

A vulnerability in the role-based access control of Cisco ASA-CX and Cisco Prime Security Manager (PRSM) could allow an authenticated, remote attacker to change the password of any user on the system. The vulnerability exists because the password change request is not fully qualified. An authenticated attacker with a user role other than Administrator could exploit this vulnerability by sending a specially crafted HTTP request to the Cisco PRSM. An exploit could allow the attacker to change the password of any user on the system, including users with the Administrator role. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-prsm

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

CVEs	CVE-2016-1301
Cisco Bug IDs	CSCuo94842
CVSS Score	Base 8.5 Base 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C

Products with public affected evidence

Product	CVE	Affected evidence
Cisco Prime Security Manager (PRSM)	CVE-2016-1301	structured affected CSAF product_status
Cisco ASA CX Context-Aware Security Software	CVE-2016-1301	structured affected CSAF product_status