The vulnerability is addressed in the 2018.1, 2018.2 versions of CloudVision Portal

Overview :

In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train allows users with read-only permissions to bypass permissions for restricted functionality via CVP API calls through the Configlet Builder modules. This vulnerability can potentially enable authenticated users with read-only access to take actions that are otherwise restricted in the GUI.

Affected Product(s) :

All releases in the 2018.1 Code train
All releases in the 2018.2 Code train

Vulnerability Details :

CVE ID :	CVE-2019-15006
	CVSSv3 Base Score: 5.6 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N)

Solution :

The vulnerability is addressed in the 2019.1.0 and later versions of CloudVision Portal. We recommend upgrading to a remediated release to safeguard against this vulnerability.

Additionally, for the 2018.2 release train, a hotfix is available in the form of a python script that updates permissions for the affected APIs. For the 2018.1 code train, the suggested course of action is to upgrade to one of the remediated release versions (2019.1.0 and above).

Patch file download URL: SecAdvisory0044Hotfix.pyc

Contact us to get started

CVE-2024-20418 : CISCO IOS XE CONTROLLER WEB-BASED MANAGEMENT INTERFACE COMMAND INJECTION

Description A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB)

Learn more

CVE-2024-20536 : CISCO DATA CENTER NETWORK MANAGER 12.1.2E/12.1.2P/12.1.3B WEB-BASED MANAGEMENT INTERFACE/REST API ENDPOINT SQL INJECTION

Description A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could

Learn more

CVE-2024-50340 : SYMFONY INJECTION

Description symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the

Learn more