The version of Cisco DNA Center installed on the remote host is prior to 2.3.3.7 or 2.3.5.3. It is, therefore, affected by multiple vulnerabilities:
– Insufficient validation of user-supplied input in API request parameters. An authenticated, remote attacker can send specially crafted API request to an affected device to execute arbitrary commands in a restricted container as the root user. (CVE-2023-20182)
– Due to improper authorization of API requests, a remote attacker with low privileges can send a specific API request to an affected device to enumerate limited information of users configured on the device.
This information does not include passwords or password hashes. (CVE-2023-20183)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.Read More