CVE-2017-6746

HIGH

Cisco Web Security Appliance - Command Injection

Title source: llm
STIX 2.1

Description

A vulnerability in the web interface of the Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. The attacker must authenticate with valid administrator credentials. Affected Products: Cisco AsyncOS Software 10.0 and later for WSA on both virtual and hardware appliances. More Information: CSCvd88862. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270 10.1.1-235.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99877
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038948

Scores

CVSS v3 7.2
EPSS 0.0440
EPSS Percentile 90.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (12)
cisco/web_security_appliance 10.0.0-233
cisco/web_security_appliance 10.0_base
cisco/web_security_appliance 10.1.0
cisco/web_security_appliance 10.1.0-204
cisco/web_security_appliance 10.1.1-230
cisco/web_security_appliance 10.1.1-234
cisco/web_security_appliance 10.5.0
cisco/web_security_appliance 10.5.0-358
cisco/web_security_appliance 11.0.0
cisco/web_security_appliance 11.0.0-613
... and 2 more
Published Jul 25, 2017
Tracked Since Feb 18, 2026