CVE-2006-3226 - Cisco Secure Access Control Server (ACS) 4.x for Windows uses the client's IP address and the server

CVE-2006-3226

Summary

Cisco Secure Access Control Server (ACS) 4.x for Windows uses the client's IP address and the server's port number to grant access to an HTTP server port for an administration session, which allows remote attackers to bypass authentication via various methods, aka "ACS Weak Session Management Vulnerability."

References

Vulnerable Configurations

cpe:2.3:a:cisco:secure_access_control_server:4.0:*:windows:*:*:*:*:*
cpe:2.3:a:cisco:secure_access_control_server:4.0:*:windows:*:*:*:*:*
cpe:2.3:a:cisco:secure_access_control_server:4.0.1:*:windows:*:*:*:*:*
cpe:2.3:a:cisco:secure_access_control_server:4.0.1:*:windows:*:*:*:*:*

CVSS

Base:	7.5 (as of 18-10-2018 - 16:46)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	18621
bugtraq	20060623 Cisco Secure ACS Weak Session Management Vulnerability 20060623 Re: Cisco Secure ACS Weak Session Management Vulnerability
cisco	20060623 Cisco Secure ACS Weak Session Management Vulnerability
osvdb	26825
sectrack	1016369
secunia	20816
sreason	1157
vupen	ADV-2006-2524
xf	cisco-acs-session-spoofing(27328)

Last major update

18-10-2018 - 16:46

Published

26-06-2006 - 16:05

Last modified

18-10-2018 - 16:46