CVE-2017-6662

Name of the Vulnerable Software and Affected Versions Cisco Prime Infrastructure versions 1.1 through 3.1.6 Cisco Evolved Programmable Network Manager versions 1.2, 2.0, 2.1

Description A vulnerability in the web-based user interface of Cisco Prime Infrastructure and Evolved Programmable Network Manager could allow an authenticated, remote attacker to have read and write access to information stored in the affected system, as well as perform remote code execution. The attacker must have valid user credentials. This issue is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this by convincing the administrator to import a crafted XML file with malicious entries, allowing the attacker to read and write files and execute remote code within the application.

Recommendations For Cisco Prime Infrastructure versions 1.1 through 3.1.6, update to a version that fixes the improper handling of XML External Entity entries. For Cisco Evolved Programmable Network Manager versions 1.2, 2.0, 2.1, update to a version that fixes the improper handling of XML External Entity entries. As a temporary workaround, consider restricting the import of XML files to minimize the risk of exploitation.