CVE-2024-20419

Name of the Vulnerable Software and Affected Versions: Cisco Smart Software Manager On-Prem versions 8-202206 and earlier

Description: A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.

Recommendations: For Cisco Smart Software Manager On-Prem versions 8-202206 and earlier, update to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the affected device to minimize the risk of exploitation. Avoid using the vulnerable authentication system until the issue is resolved.