Cisco announced the release of a patch to address a vulnerability tracked as CVE-2020-27130 and a CVSS score of 9.1. The vulnerability is discovered in Cisco Security Manager and it could allow an attacker to gain access to sensitive information. It is due to improper validation of directory traversal character sequences within requests to an affected device.
CVSS Score: Base 9.1
According to Cisco’s announcement, the vulnerability affects Cisco Security Manager 4.21 and older releases. The software update 4.22 addresses the vulnerability and there are no workarounds that are capable of addressing it. The vulnerability can be exploited by an attacker sending a crafted request to the affected device and a successful exploit could allow the attacker to download arbitrary files. The company also stated that the Cisco Product Security Incident Response Team is not aware of the malicious use of the vulnerability.