Hi,

Cisco security advisories for similar vulnerabilities (e.g. Command Injection) regarding CLI and web UI differs in case of scoring CVSS in attack vector parameter. CLI vulnerabilities are scored with "Local" and web UI with "Network" AV. I wonder what is the difference here, because both of these user interfaces can be accessed (and therefore exploited) over the network.

Here are two examples for CLI and web UI:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxos-cmdinj-TxcLNZNH

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-Gje47EMn

Thanks.