CVE-2025-20348

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-20348
A vulnerability in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to view sensitive information or upload and modify files on an affected device. This vulnerability exists because of missing authorization controls on some REST API endpoints. An attacker could exploit th vulnerability by sending crafted API requests to an affected endpoint. A successful exploit could allow the attacker to perform limited Administrator functions, such as accessing sensitive information regarding HTTP Proxy and NTP configurations, uploading images, and damaging image files on an affected device.

5.0 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nshs-urapi-gJuBVFpu
Configurations

No configuration.

History

29 Aug 2025, 16:24

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en los endpoints de la API REST de Cisco Nexus Dashboard y Cisco Nexus Dashboard Fabric Controller (NDFC) podría permitir que un atacante remoto autenticado y con pocos privilegios acceda a información confidencial o cargue y modifique archivos en un dispositivo afectado. Esta vulnerabilidad se debe a la falta de controles de autorización en algunos endpoints de la API REST. Un atacante podría explotar esta vulnerabilidad enviando solicitudes de API manipuladas a un endpoint afectado. Una explotación exitosa podría permitir al atacante realizar funciones limitadas de administrador, como acceder a información confidencial sobre las configuraciones de proxy HTTP y NTP, cargar imágenes y dañar archivos de imagen en un dispositivo afectado.

27 Aug 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-27 17:15

Updated : 2025-08-29 16:24

NVD link : CVE-2025-20348

Mitre link : CVE-2025-20348

CVE.ORG link : CVE-2025-20348

JSON object : View

Products Affected

No product.

CWE
CWE-201

Insertion of Sensitive Information Into Sent Data