CVE-2016-1406

EUVD-2016-2505
The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2.4 allows remote authenticated users to bypass intended RBAC restrictions and obtain sensitive information, and consequently gain privileges, via crafted JSON data, aka Bug ID CSCuy12409.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
ciscoevolved_programmable_network_manager
1.2.0
ciscoevolved_programmable_network_manager
1.2.1.3
ciscoevolved_programmable_network_manager
1.2.200
ciscoevolved_programmable_network_manager
1.2.300
ciscoprime_infrastructure
1.2
ciscoprime_infrastructure
1.2.0.103
ciscoprime_infrastructure
1.2.1
ciscoprime_infrastructure
1.3
ciscoprime_infrastructure
1.3.0.20
ciscoprime_infrastructure
1.4
ciscoprime_infrastructure
1.4.0.45
ciscoprime_infrastructure
1.4.1
ciscoprime_infrastructure
1.4.2
ciscoprime_infrastructure
2.0
ciscoprime_infrastructure
2.1.0
ciscoprime_infrastructure
2.2
ciscoprime_infrastructure
2.2\(2\)
ciscoprime_infrastructure
3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160523-pi-epnm
http://www.securitytracker.com/id/1035948
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160523-pi-epnm
http://www.securitytracker.com/id/1035948