Vulnerability Details : CVE-2023-20127
Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. For more information about these vulnerabilities, see the Details section of this advisory.
Vulnerability category: Cross site scripting (XSS)Directory traversalCross-site request forgery (CSRF)
Products affected by CVE-2023-20127
- cpe:2.3:a:cisco:prime_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:3.8:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:3.8.1:-:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:3.9.1:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-20127
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-20127
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
Cisco Systems, Inc. | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2023-20127
-
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.Assigned by: ykramarz@cisco.com (Secondary)
References for CVE-2023-20127
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-eRPWAXLe
Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager VulnerabilitiesVendor Advisory
Jump to