Vulnerability Details : CVE-2023-20130
Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. For more information about these vulnerabilities, see the Details section of this advisory.
Vulnerability category: Cross site scripting (XSS)Directory traversalCross-site request forgery (CSRF)
Products affected by CVE-2023-20130
- cpe:2.3:a:cisco:prime_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:3.8:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:3.8.1:-:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_infrastructure:3.9.1:-:*:*:*:*:*:*
- Cisco » Evolved Programmable Network ManagerVersions from including (>=) 5.1 and before (<) 5.1.4.2cpe:2.3:a:cisco:evolved_programmable_network_manager:*:*:*:*:*:*:*:*
- Cisco » Evolved Programmable Network ManagerVersions from including (>=) 6.1 and before (<) 6.1.1.1cpe:2.3:a:cisco:evolved_programmable_network_manager:*:*:*:*:*:*:*:*
- Cisco » Evolved Programmable Network ManagerVersions from including (>=) 6.0 and before (<) 6.0.2.1cpe:2.3:a:cisco:evolved_programmable_network_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:evolved_programmable_network_manager:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-20130
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-20130
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
Cisco Systems, Inc. | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2023-20130
-
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.Assigned by: ykramarz@cisco.com (Secondary)
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-20130
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-eRPWAXLe
Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager VulnerabilitiesVendor Advisory
Jump to