A vulnerability in the web UI of Cisco SD-WAN Solution vManage software could allow an authenticated, remote malicious user to conduct SQL injection attacks on an affected system. The vulnerability exists because the web UI improperly validates SQL values. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the malicious user to modify values on, or return values from, the underlying database as well as the operating system.
Switchzilla says remote networking gear has a grab-bag of holes
Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed.
Switchzilla says the SD-WAN code is host to five vulnerabilities ranging from privilege escalation to remote code injection. The five CVE-listed bugs (CVE-2020-3264, CVE-2020-3265, CVE-2020-3266, CVE-2019-16010, CVE-2019-16012) are down to what Cisco calls "insufficient input validation," and the avenues to exploit it range from SQL to HTTP requests.
"An attacker could expl...