CVE-2019-12690

A vulnerability in the web UI of the Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to inject arbitrary commands that are executed with the privileges of the root user of the underlying operating system. The vulnerability is due to insufficient validation of user-supplied input to the web UI. An attacker could exploit this vulnerability by submitting crafted input in the web UI. A successful exploit could allow an attacker to execute arbitrary commands on the device with full root privileges.

Published : 2019-10-02 19:15 Updated : 2019-10-10 17:17

9.0
CVSS Score More info
Score 9.0 / 10
9.0
Vendor Product Version URI
Cisco Firepower Management Center 2.9.8 cpe:/a:cisco:firepower_management_center:2.9.8
Cisco Firepower Management Center 2.9.9 cpe:/a:cisco:firepower_management_center:2.9.9
Cisco Firepower Management Center 2.9.10 cpe:/a:cisco:firepower_management_center:2.9.10
Cisco Firepower Management Center 2.9.11 cpe:/a:cisco:firepower_management_center:2.9.11
Cisco Firepower Management Center 2.9.12 cpe:/a:cisco:firepower_management_center:2.9.12
Cisco Firepower Management Center 2.9.13 cpe:/a:cisco:firepower_management_center:2.9.13
Cisco Firepower Management Center 4.10.3.9 cpe:/a:cisco:firepower_management_center:4.10.3.9
Cisco Firepower Management Center 5.3.0.2 cpe:/a:cisco:firepower_management_center:5.3.0.2
Cisco Firepower Management Center 5.3.0.3 cpe:/a:cisco:firepower_management_center:5.3.0.3
Cisco Firepower Management Center 5.3.0.4 cpe:/a:cisco:firepower_management_center:5.3.0.4
Cisco Firepower Management Center 5.3.1.3 cpe:/a:cisco:firepower_management_center:5.3.1.3
Cisco Firepower Management Center 5.3.1.4 cpe:/a:cisco:firepower_management_center:5.3.1.4
Cisco Firepower Management Center 5.3.1.5 cpe:/a:cisco:firepower_management_center:5.3.1.5
Cisco Firepower Management Center 5.3.1.6 cpe:/a:cisco:firepower_management_center:5.3.1.6
Cisco Firepower Management Center 5.3_base cpe:/a:cisco:firepower_management_center:5.3_base
Cisco Firepower Management Center 5.4.0 cpe:/a:cisco:firepower_management_center:5.4.0
Cisco Firepower Management Center 5.4.0.2 cpe:/a:cisco:firepower_management_center:5.4.0.2
Cisco Firepower Management Center 5.4.1 cpe:/a:cisco:firepower_management_center:5.4.1
Cisco Firepower Management Center 5.4.1.1 cpe:/a:cisco:firepower_management_center:5.4.1.1
Cisco Firepower Management Center 5.4.1.2 cpe:/a:cisco:firepower_management_center:5.4.1.2
Cisco Firepower Management Center 5.4.1.3 cpe:/a:cisco:firepower_management_center:5.4.1.3
Cisco Firepower Management Center 5.4.1.4 cpe:/a:cisco:firepower_management_center:5.4.1.4
Cisco Firepower Management Center 5.4.1.5 cpe:/a:cisco:firepower_management_center:5.4.1.5
Cisco Firepower Management Center 5.4.1.6 cpe:/a:cisco:firepower_management_center:5.4.1.6
Cisco Firepower Management Center 5.4_base cpe:/a:cisco:firepower_management_center:5.4_base
Cisco Firepower Management Center 6.0.0 cpe:/a:cisco:firepower_management_center:6.0.0
Cisco Firepower Management Center 6.0.0.1 cpe:/a:cisco:firepower_management_center:6.0.0.1
Cisco Firepower Management Center 6.0.1 cpe:/a:cisco:firepower_management_center:6.0.1
Cisco Firepower Management Center 6.0_base cpe:/a:cisco:firepower_management_center:6.0_base
Cisco Firepower Management Center 6.2.3.6 cpe:/a:cisco:firepower_management_center:6.2.3.6
  1. Cisco (1) Search CVE
    1. Firepower Management Center (30) Search CVE
      1. 2.9.8
      2. 2.9.9
      3. 2.9.10
      4. 2.9.11
      5. 2.9.12
      6. 2.9.13
      7. 4.10.3.9
      8. 5.3.0.2
      9. 5.3.0.3
      10. 5.3.0.4
      11. 5.3.1.3
      12. 5.3.1.4
      13. 5.3.1.5
      14. 5.3.1.6
      15. 5.3_base
      16. 5.4.0
      17. 5.4.0.2
      18. 5.4.1
      19. 5.4.1.1
      20. 5.4.1.2
      21. 5.4.1.3
      22. 5.4.1.4
      23. 5.4.1.5
      24. 5.4.1.6
      25. 5.4_base
      26. 6.0.0
      27. 6.0.0.1
      28. 6.0.1
      29. 6.0_base
      30. 6.2.3.6

CWE

ID Name Description Links
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. CVE

History of changes

Date Event
2019-10-10 17:17
2019-10-02 19:17

New CVE