Detections
Analytics

Cisco Smart Software Manager On-Prem Password Change (cisco-sa-cssm-auth-sLw3uhUy)

critical Nessus Plugin ID 205336

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

According to its self-reported version, Cisco Smart Software Manager On-Prem Password Change is affected by a vulnerability.

 - A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
 (CVE-2024-20419)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwk21399

See Also

http://www.nessus.org/u?ce51e5e3

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk21399

Plugin Details

Severity: Critical

ID: 205336

File Name: cisco-sa-cssm-auth-sLw3uhUy.nasl

Version: 1.1

Type: combined

Family: CISCO

Published: 8/9/2024

Updated: 8/9/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-20419

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:cisco:smart_software_manager_on-prem

Required KB Items: Cisco Smart Software Manager On-Prem

Patch Publication Date: 7/17/2024

Vulnerability Publication Date: 7/17/2024

Reference Information

CVE: CVE-2024-20419

CWE: 620

CISCO-SA: cisco-sa-cssm-auth-sLw3uhUy

CISCO-BUG-ID: CSCwk21399