Cisco » Connected Grid Network Management System : Security Vulnerabilities, CVEs,

A vulnerability in the TCP throttling process for Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to cause the system to consume additional memory, eventually forcing the device to restart, aka Memory Exhaustion. The vulnerability is due to insufficient rate-limiting protection. An attacker could exploit this vulnerability by sending a high rate of TCP packets to a specific group of open listening ports on a targeted device. An exploit could allow the attacker to cause the system to consume additional memory. If enough available memory is consumed, the system will restart, creating a temporary denial of service (DoS) condition. The DoS condition will end after the device has finished the restart process. This vulnerability affects the following Cisco products: Connected Grid Network Management System, if running a software release prior to IoT-FND Release 4.0; IoT Field Network Director, if running a software release prior to IoT-FND Release 4.0. Cisco Bug IDs: CSCvc77164.

The web GUI in Cisco Connected Grid Network Management System (CG-NMS) 3.0(0.35) and 3.0(0.54) allows remote authenticated users to bypass intended access restrictions and modify the configuration by leveraging the Monitor-Only role, aka Bug ID CSCuw42640.

Multiple cross-site scripting (XSS) vulnerabilities in the element-list implementation in Cisco Connected Grid Network Management System (CG-NMS) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs CSCue14517, CSCue38914, CSCue38884, CSCue38882, CSCue38881, CSCue38872, CSCue38868, CSCue38866, CSCue38853, and CSCue14540.

Multiple SQL injection vulnerabilities in the device-management implementation in Cisco Connected Grid Network Management System (CG-NMS) allow remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug IDs CSCue14553 and CSCue38746.