CVE-2017-6637

A vulnerability in the web interface of Cisco Prime Collaboration Provisioning Software (prior to Release 11.1) could allow an authenticated, remote attacker to delete any file from an affected system. The vulnerability exists because the affected software does not perform proper input validation of HTTP requests and fails to apply role-based access controls (RBACs) to requested HTTP URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request that uses directory traversal techniques to submit a path to a desired file location on an affected system. A successful exploit could allow the attacker to delete any file from the system. Cisco Bug IDs: CSCvc99618.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
ciscoCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
VendorProductVersion
ciscoprime_collaboration_provisioning
9.0.0
ciscoprime_collaboration_provisioning
9.5.0
ciscoprime_collaboration_provisioning
10.0.0
ciscoprime_collaboration_provisioning
10.5.0
ciscoprime_collaboration_provisioning
10.5.1
ciscoprime_collaboration_provisioning
10.6.0
ciscoprime_collaboration_provisioning
10.6.2
ciscoprime_collaboration_provisioning
11.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/98530
http://www.securitytracker.com/id/1038515
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp5
http://www.securityfocus.com/bid/98530
http://www.securitytracker.com/id/1038515
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp5