MEDIUM✓ PATCH🇬🇧 English

CVE-2023-20136

CVSS 4.3v3.1pub. 2023-06-28upd. 2024-11-21

A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials. This vulnerability is due to improper role-based access control (RBAC) of certain OpenAPI operations. An attacker could exploit this vulnerability by issuing a crafted OpenAPI function call with valid credentials. A successful exploit could allow the attacker to execute OpenAPI operations that are reserved for the Administrator user, including the creation and deletion of user labels.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Cisco Secure Workload

    APP
    Cisco
    < 3.7.1.40
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
CWE
Referencje

Powiązane podatności

CVE-2026-20223CRITICAL10.0PL ✓ten sam produkt

Cisco Secure Workload — nieautoryzowany dostęp do REST API z uprawnieniami Site Admin

CVE-2026-20182CRITICAL10.0⚠ KEVPL ✓ten sam vendor

Cisco Catalyst SD-WAN — pominięcie uwierzytelnienia z dostępem administracyjnym

CVE-2026-20131CRITICAL10.0⚠ KEVPL ✓ten sam vendor

RCE przez insecure deserialization w Cisco Secure Firewall Management Center

CVE-2026-20127CRITICAL10.0⚠ KEVPL ✓ten sam vendor

Cisco Catalyst SD-WAN — ominięcie uwierzytelnienia peering i przejęcie uprawnień

CVE-2025-20393CRITICAL10.0⚠ KEVPL ✓ten sam vendor

RCE z uprawnieniami root w Cisco Secure Email Gateway i Secure Email and Web Manager