Cooper Timewell

**Name of the Vulnerable Software and Affected Versions** Cisco Nexus Dashboard (affected versions not specified) **Description** The issue is related to insufficient access control protections, which could allow an authenticated, local attacker with valid credentials to elevate privileges to root on an affected device. This is due to inadequate protections for a sensitive access token, which an attacker could exploit to access resources within the device infrastructure, potentially gaining root access to the filesystem or hosted containers. **Recommendations** For all affected versions, consider restricting access to sensitive resources and tokens until a patch is available. As a temporary workaround, limit the use of rescue-user credentials to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Nexus Dashboard versions (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. This issue is due to insufficient CSRF protections for the web-based management interface. An attacker could exploit this by persuading a user to click a malicious link, potentially allowing the attacker to perform arbitrary actions with the privilege level of the affected user, including modifying system configuration and creating new privileged accounts if the user has administrative privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Nexus Dashboard (affected versions not specified) **Description** The issue is related to insufficient access controls on a specific API endpoint, allowing a remote attacker to gain unauthorized access to protected information by sending specially crafted requests. This could enable an attacker to access metrics and information about devices in the Nexus Dashboard cluster. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Cisco Nexus Dashboard, consider restricting access to the vulnerable API endpoint until a patch is available. As a temporary workaround, avoid using the vulnerable API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.