Pierre Denouel

**Name of the Vulnerable Software and Affected Versions** Cisco Enterprise NFV Infrastructure Software (NFVIS) (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) that could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. A vulnerability in the next-generation input/output (NGIO) function is associated with inadequate access control, which can be exploited by a remote attacker to elevate privileges by sending an API call from a virtual machine. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Enterprise NFV Infrastructure Software (NFVIS) (affected versions not specified) **Description** The issue is related to insufficient access control in the image registration process of Cisco Enterprise NFV Infrastructure Software (NFVIS), which could allow a remote attacker to execute arbitrary commands by installing a virtual machine image with crafted metadata. Additionally, there are multiple vulnerabilities that could enable an attacker to escape from a guest virtual machine to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Enterprise NFV Infrastructure Software (NFVIS) (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) that could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. One of the vulnerabilities is related to the incorrect restriction of XML links to external objects in the software import function, which could allow a remote attacker to disclose protected information using specially crafted XML code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.