CVE-2024-20340

CVSS V2 None CVSS V3 None

Description

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, an attacker must have a valid account on the device with the role of Security Approver, Intrusion Admin, Access Admin, or Network Admin. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to read the contents of databases on the affected device and also obtain limited read access to the underlying operating system.

Overview

CVE ID
CVE-2024-20340

Assigner
cisco

Vulnerability Status
PUBLISHED

Published Version
2024-10-23T17:09:10.266Z

Last Modified Date
2024-10-23T17:09:10.266Z

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

References

Reference URL	Reference Tags
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sql-inject-2EnmTC8v
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-M446vbEO
https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75300

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-20340
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20340

History

Created	Old Value	New Value	Data Type	Notes
2024-10-24 13:20:26				Added to TrackCVE