TL;DR 📌

A medium-severity path traversal vulnerability has been identified in Cisco Nexus Dashboard, allowing authenticated remote attackers to gain root privileges. No workarounds are available, and users are advised to upgrade to fixed software releases.

What happened 🕵️‍♂️

A vulnerability in the backup restore functionality of Cisco Nexus Dashboard could allow an authenticated, remote attacker to conduct a path traversal attack. This issue arises from insufficient validation of backup file contents. An attacker with valid Administrator credentials could exploit this vulnerability by restoring a crafted backup file, potentially gaining root privileges on the affected device.

TL;DR 📌

Cisco Nexus Dashboard and Nexus Dashboard Fabric Controller have vulnerabilities in their REST API that could allow low-privileged authenticated attackers to access sensitive information or modify files. The highest CVSS score is 5.4 (Medium severity). No workarounds are available, and updates are necessary to mitigate the risks.

What happened 🕵️‍♂️

Multiple vulnerabilities have been identified in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC). These vulnerabilities arise from missing authorization controls, enabling low-privileged authenticated attackers to potentially view sensitive information or perform limited administrative functions, such as uploading images or accessing configuration details. Exploitation requires sending crafted API requests to affected endpoints.