CVE-2023-20066 — Vulnetix

CVE-2023-20066 PUBLISHED CVSS 6.5 MEDIUM

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to perform a directory traversal and access resources that are outside the filesystem mountpoint of the web UI. This vulnerability is due to an insufficient security configuration. An attacker could exploit this vulnerability by sending a crafted request to the web UI. A successful exploit could allow the attacker to gain read access to files that are outside the filesystem mountpoint of the web UI. Note: These files are located on a restricted filesystem that is maintained for the web UI. There is no ability to write to any files on this filesystem.

EPSS 0.40% · 61.0th percentile

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.40%

61.0th percentile

Affected Products

Vendor	Product	Versions
cisco	ios_xe	16.12.3, 17.3.2, 17.6.2
Cisco	Cisco IOS XE Software	*

Exploit Intelligence

20230322 Cisco IOS XE Software Web UI Path Traversal Vulnerability (circl)

Timeline

Mar 23, 2023 CVE Published
Mar 24, 2023 EPSS Score
May 1, 2023 EPSS Score
Jun 9, 2023 EPSS Score
Jul 17, 2023 EPSS Score
Aug 25, 2023 EPSS Score
Oct 2, 2023 EPSS Score
Nov 9, 2023 EPSS Score
Dec 18, 2023 EPSS Score
Jan 25, 2024 EPSS Score
Mar 3, 2024 EPSS Score
Apr 11, 2024 EPSS Score

References

20230322 Cisco IOS XE Software Web UI Path Traversal Vulnerability vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2023-20066 advisory

Open in Interactive Console →