CVE-2016-6461

MEDIUM

Cisco Adaptive Security Appliance Software - XML Command Injection via HTTP Web Interface

Title source: llm
STIX 2.1

Description

A vulnerability in the HTTP web-based management interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to inject arbitrary XML commands on the affected system. More Information: CSCva38556. Known Affected Releases: 9.1(6.10). Known Fixed Releases: 100.11(0.75) 100.15(0.137) 100.8(40.129) 96.2(0.95) 97.1(0.55) 97.1(12.7) 97.1(6.30).

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94365
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037306

Scores

CVSS v3 5.9
EPSS 0.0179
EPSS Percentile 75.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20
Status published
Products (50)
cisco/adaptive_security_appliance_software 9.1\(7\)4
cisco/adaptive_security_appliance_software 9.1\(7\)7
cisco/adaptive_security_appliance_software 9.1\(7\)9
cisco/adaptive_security_appliance_software 9.1\(7\)11
cisco/adaptive_security_appliance_software 9.1\(7\)12
cisco/adaptive_security_appliance_software 9.1.6.10
cisco/adaptive_security_appliance_software 9.2\(0.0\)
cisco/adaptive_security_appliance_software 9.2\(0.104\)
cisco/adaptive_security_appliance_software 9.2\(3.1\)
cisco/adaptive_security_appliance_software 9.2.1
... and 40 more
Published Nov 19, 2016
Tracked Since Feb 18, 2026