CiscoWorks Common Management Foundation (CMF), also packaged as part
of CiscoWorks CD One, provides an application infrastructure foundation,
allowing all CiscoWorks applications to share a common model for data storage,
login, user role definitions, access privileges, and security protocols, as
well as for navigation and launch management.
Two vulnerabilities exist in CiscoWorks CMF versions prior to and
including 2.1. The first vulnerability is a privilege escalation vulnerability
where a guest user may obtain administrative privileges within the application
via a specially crafted URL. The second vulnerability is an ability to run
arbitrary commands on the CiscoWorks server due to an error in processing user
Cisco is making patches available for CMF versions 2.0 and 2.1, free
of charge, to correct the problem.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030813-cmf