Executive Summary
| Summary | |
|---|---|
| Title | Cisco Secure Access Control System Unauthorized Password Change Vulnerability |
| Informations | |||
|---|---|---|---|
| Name | cisco-sa-20110330-acs | First vendor Publication | 2011-03-09 |
| Vendor | Cisco | Last vendor Modification | 2011-03-30 |
| Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account's previous password. Successful exploitation requires the user account to be defined on the internal identity store. This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password. Cisco has released free software updates that address this vulnerability. There is no workaround for this vulnerability. |
Original Source
| Url : http://www.cisco.com/en/US/products/products_security_advisory09186a0080b7 (...) |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-255 | Credentials Management |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 72289 | Cisco Secure Access Control System Arbitrary User Password Modification Cisco ACS contains a flaw related to the web interface. The issue is triggered when a remote attacker uses a malformed URL to change any user password to an arbitrary value. This may allow an attacker to reset any user password. |
Metasploit Database
| id | Description |
|---|---|
| 2020-05-23 | Cisco Secure ACS Unauthorized Password Change |
| 2020-07-16 | Cisco Secure ACS Unauthorized Password Change |
| 2019-01-24 | Cisco RV320/RV326 Configuration Disclosure |
Alert History
| Date | Informations |
|---|---|
| 2020-07-16 21:22:49 |
|
| 2020-05-23 13:16:43 |
|
| 2016-03-14 13:21:22 |
|
| 2013-09-05 21:20:20 |
|
