CVE-2020-26064

Summary

A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco SD-WAN vManage17.2.6affected
CiscoCisco SD-WAN vManage17.2.7affected
CiscoCisco SD-WAN vManage17.2.8affected
CiscoCisco SD-WAN vManage17.2.9affected
CiscoCisco SD-WAN vManage17.2.10affected
CiscoCisco SD-WAN vManage17.2.4affected
CiscoCisco SD-WAN vManage17.2.5affected
CiscoCisco SD-WAN vManage18.3.1.1affected
CiscoCisco SD-WAN vManage18.3.3.1affected
CiscoCisco SD-WAN vManage18.3.3affected
CiscoCisco SD-WAN vManage18.3.4affected
CiscoCisco SD-WAN vManage18.3.5affected
CiscoCisco SD-WAN vManage18.3.7affected
CiscoCisco SD-WAN vManage18.3.8affected
CiscoCisco SD-WAN vManage18.3.6.1affected
CiscoCisco SD-WAN vManage18.3.1affected
CiscoCisco SD-WAN vManage18.3.0affected
CiscoCisco SD-WAN vManage18.4.0.1affected
CiscoCisco SD-WAN vManage18.4.3affected
CiscoCisco SD-WAN vManage18.4.302affected
CiscoCisco SD-WAN vManage18.4.303affected
CiscoCisco SD-WAN vManage18.4.4affected
CiscoCisco SD-WAN vManage18.4.5affected
CiscoCisco SD-WAN vManage18.4.0affected
CiscoCisco SD-WAN vManage18.4.1affected
CiscoCisco SD-WAN vManage19.2.0affected
CiscoCisco SD-WAN vManage19.2.097affected
CiscoCisco SD-WAN vManage19.2.099affected
CiscoCisco SD-WAN vManage19.2.1affected
CiscoCisco SD-WAN vManage19.2.2affected
CiscoCisco SD-WAN vManage19.2.3affected
CiscoCisco SD-WAN vManage19.2.31affected
CiscoCisco SD-WAN vManage19.2.929affected
CiscoCisco SD-WAN vManage20.1.1.1affected
CiscoCisco SD-WAN vManage20.1.12affected
CiscoCisco SD-WAN vManage20.1.1affected
CiscoCisco SD-WAN vManage19.3.0affected
CiscoCisco SD-WAN vManage19.1.0affected
CiscoCisco SD-WAN vManage18.2.0affected
CiscoCisco SD-WAN vManage20.3.1affected

Weaknesses

  • CWE-611: Improper Restriction of XML External Entity Reference

ADP Enrichment

CVE Program Container

Additional References

References