A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to improper validation of user privileges of web UI users. An attacker could exploit this vulnerability by submitting a malicious payload to a specific endpoint in the web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device.

Published : 2019-03-28 01:29 Updated : 2019-10-09 23:47


There is no CVSS for this CVE.
Vendor Product Version URI
Cisco Ios Xe 3.2.0ja cpe:/o:cisco:ios_xe:3.2.0ja
Cisco Ios Xe 16.7.1 cpe:/o:cisco:ios_xe:16.7.1
Cisco Ios Xe 16.7.1a cpe:/o:cisco:ios_xe:16.7.1a
Cisco Ios Xe 16.7.1b cpe:/o:cisco:ios_xe:16.7.1b
Cisco Ios Xe 16.8.1 cpe:/o:cisco:ios_xe:16.8.1
Cisco Ios Xe 16.8.1a cpe:/o:cisco:ios_xe:16.8.1a
Cisco Ios Xe 16.8.1b cpe:/o:cisco:ios_xe:16.8.1b
Cisco Ios Xe 16.8.1c cpe:/o:cisco:ios_xe:16.8.1c
Cisco Ios Xe 16.8.1d cpe:/o:cisco:ios_xe:16.8.1d
Cisco Ios Xe 16.8.1e cpe:/o:cisco:ios_xe:16.8.1e
Cisco Ios Xe 16.8.1s cpe:/o:cisco:ios_xe:16.8.1s
Cisco Ios Xe 16.8.2 cpe:/o:cisco:ios_xe:16.8.2
Cisco Ios Xe 16.9.1b cpe:/o:cisco:ios_xe:16.9.1b
Cisco Ios Xe 16.9.1c cpe:/o:cisco:ios_xe:16.9.1c
Cisco Ios Xe 16.9.1d cpe:/o:cisco:ios_xe:16.9.1d
Cisco Ios Xe 16.9.1s cpe:/o:cisco:ios_xe:16.9.1s
  1. Cisco (1) Search CVE
    1. Ios Xe (16) Search CVE
      1. 3.2.0ja
      2. 16.7.1
      3. 16.7.1a
      4. 16.7.1b
      5. 16.8.1
      6. 16.8.1a
      7. 16.8.1b
      8. 16.8.1c
      9. 16.8.1d
      10. 16.8.1e
      11. 16.8.1s
      12. 16.8.2
      13. 16.9.1b
      14. 16.9.1c
      15. 16.9.1d
      16. 16.9.1s


ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE

History of changes

Date Event
2019-10-09 23:47