CVE-2019-1896

HIGH Year: 2019
CVSS v3 Score
7.2
High
CVSS v2 Score
9.0
Critical
Weakness Type
CWE-78
View all →

Vulnerability Description

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary commands and obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input in the Certificate Signing Request (CSR) function of the web-based management interface. An attacker could exploit this vulnerability by submitting a crafted CSR in the web-based management interface. A successful exploit could allow an attacker with administrator privileges to execute arbitrary commands on the device with full root privileges.

Related Vulnerabilities

CVE-2013-3322

HIGH
CVSS:7.2(High)

NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to inject arbitrary commands in the Halt/Reboot interface.

CWE-782013

CVE-2015-2201

HIGH
CVSS:7.2(High)

Aruba AirWave before 7.7.14.2 and 8.x before 8.0.7 allows VisualRF remote OS command execution and file disclosure by administrative users.

CWE-782015

CVE-2016-11021

HIGH
CVSS:7.2(High)

setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter.

CWE-782016

CVE-2016-11022

HIGH
CVSS:7.2(High)

NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5.0.35 devices allow a remote attacker to execute code with root privileges via shell metacharacters in the reqMethod parameter to login_...

CWE-782016

CVE-2016-11054

HIGH
CVSS:7.2(High)

NETGEAR DGN2200v4 devices before 2017-01-06 are affected by command execution and an FTP insecure root directory.

CWE-782016

CVE-2016-6373

HIGH
CVSS:7.2(High)

The web-based GUI in Cisco Cloud Services Platform (CSP) 2100 2.0 allows remote authenticated administrators to execute arbitrary OS commands as root via crafted platform commands, aka Bug ID CSCva005...

CWE-782016