10.6.2

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

cisco

CWE-862

NVD

Published: 2021-01-13

Updated: 2023-11-07

Summary

A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this vulnerability by sending specific API GET requests to an affected device. A successful exploit could allow the attacker to enumerate users of the CMX system.

Vulnerable Configurations

Part	Description	Count
Application	Cisco Cisco Connected Mobile Experiences 10.6.2 Cisco Connected Mobile Experiences 10.6.0 Cisco Connected Mobile Experiences 10.6.1	3

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxapi-KsKwCmfp