This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Cisco First view 2011-04-04
Product Secure Access Control System Last view 2018-05-02
Version 5.1.0.44 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:cisco:secure_access_control_system

Activity : Overall

Related : CVE

  Date Alert Description
9.8 2018-05-02 CVE-2018-0253

A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level. The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device. This vulnerability affects all releases of Cisco Secure ACS prior to Release 5.8 Patch 7. Cisco Bug IDs: CSCve69037.

4 2015-06-24 CVE-2015-4219

Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331.

6.5 2015-02-11 CVE-2015-0580

Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System (ACS) before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027.

10 2014-01-16 CVE-2014-0650

The web interface in Cisco Secure Access Control System (ACS) 5.x before 5.4 Patch 3 allows remote attackers to execute arbitrary operating-system commands via a request to this interface, aka Bug ID CSCue65962.

9 2014-01-16 CVE-2014-0649

The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authorization requirements, which allows remote authenticated users to obtain superadmin access via a request to this interface, aka Bug ID CSCud75180.

10 2014-01-16 CVE-2014-0648

The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authorization requirements, which allows remote attackers to obtain administrative access via a request to this interface, aka Bug ID CSCud75187.

5 2011-04-04 CVE-2011-0951

The web-based management interface in Cisco Secure Access Control System (ACS) 5.1 before 5.1.0.44.6 and 5.2 before 5.2.0.26.3 allows remote attackers to change arbitrary user passwords via unspecified vectors, aka Bug ID CSCtl77440.

CWE : Common Weakness Enumeration

%idName
37% (3) CWE-264 Permissions, Privileges, and Access Controls
25% (2) CWE-20 Improper Input Validation
12% (1) CWE-255 Credentials Management
12% (1) CWE-200 Information Exposure
12% (1) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...

Open Source Vulnerability Database (OSVDB)

id Description
72289 Cisco Secure Access Control System Arbitrary User Password Modification

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0040 Cisco Secure Access Control System (ACS) SQL Injection Vulnerability
Severity: Category I - VMSKEY: V0058909
2014-A-0014 Multiple Vulnerabilities in Cisco Secure Access Control System (ACS)
Severity: Category I - VMSKEY: V0043619

Nessus® Vulnerability Scanner

id Description
2018-06-07 Name: The remote host is missing a vendor-supplied security patch.
File: cisco-sa-20180502-acs1.nasl - Type: ACT_GATHER_INFO
2015-02-20 Name: The remote host is missing a vendor-supplied security patch.
File: cisco-sa-20150211-csacs.nasl - Type: ACT_GATHER_INFO
2014-01-16 Name: The remote host is missing a vendor-supplied security patch.
File: cisco-sa-20140115-csacs.nasl - Type: ACT_GATHER_INFO