CVE-2016-1406

The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2.4 allows remote authenticated users to bypass intended RBAC restrictions and obtain sensitive information, and consequently gain privileges, via crafted JSON data, aka Bug ID CSCuy12409.

Published: May 25, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-1406
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
cisco / evolved_programmable_network_manager	1.2.1.3	1.2.1.3.x
cisco / prime_infrastructure	1.4.2	1.4.2.x
cisco / prime_infrastructure	2.2	2.2.x
cisco / prime_infrastructure	1.2.1	1.2.1.x
cisco / prime_infrastructure	2.1.0	2.1.0.x
cisco / evolved_programmable_network_manager	1.2.0	1.2.0.x
cisco / prime_infrastructure	1.3.0.20	1.3.0.20.x
cisco / evolved_programmable_network_manager	1.2.300	1.2.300.x
cisco / evolved_programmable_network_manager	1.2.200	1.2.200.x
cisco / prime_infrastructure	1.2.0.103	1.2.0.103.x
cisco / prime_infrastructure	2.2(2)	2.2(2).x
cisco / prime_infrastructure	1.4.0.45	1.4.0.45.x
cisco / prime_infrastructure	1.4.1	1.4.1.x
cisco / prime_infrastructure	1.2	1.2.x
cisco / prime_infrastructure	1.3	1.3.x
cisco / prime_infrastructure	1.4	1.4.x
cisco / prime_infrastructure	3.0	3.0.x
cisco / prime_infrastructure	2.0	2.0.x

Vulnerability Database

289,599

CVE-2016-1406