Lucene search

CiscoCVE-2019-12624

HistoryAug 21, 2019 - 7:15 p.m.

CVE-2019-12624

2019-08-2119:15:13

CWE-352

cisco

web.nvd.nist.gov

cisco

ios

ngwc

vulnerability

csrf

attack

web interface

security

nvd

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

51.2%

JSON

A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user.

Affected configurations

Nvd

Node

ciscoios_xeRange3.0.xe–3.11.xe

AND

cisco5760_wireless_lan_controllerMatch-

ciscocatalyst_3650-12x48uqMatch-

ciscocatalyst_3650-12x48urMatch-

ciscocatalyst_3650-12x48uzMatch-

ciscocatalyst_3650-24pdMatch-

ciscocatalyst_3650-24pdmMatch-

ciscocatalyst_3650-48fqMatch-

ciscocatalyst_3650-48fqmMatch-

ciscocatalyst_3650-8x24uqMatch-

ciscocatalyst_3850-12x48uMatch-

ciscocatalyst_3850-24uMatch-

ciscocatalyst_3850-24xsMatch-

ciscocatalyst_3850-24xuMatch-

ciscocatalyst_3850-48uMatch-

ciscocatalyst_3850-48xsMatch-

ciscocatalyst_3850-nm-2-40gMatch-

ciscocatalyst_3850-nm-8-10gMatch-

ciscocatalyst_4500e_supervisor_engine_8-eMatch-

VendorProductVersionCPE
ciscoios_xe*cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*
cisco5760_wireless_lan_controller-cpe:2.3:h:cisco:5760_wireless_lan_controller:-:*:*:*:*:*:*:*
ciscocatalyst_3650-12x48uq-cpe:2.3:h:cisco:catalyst_3650-12x48uq:-:*:*:*:*:*:*:*
ciscocatalyst_3650-12x48ur-cpe:2.3:h:cisco:catalyst_3650-12x48ur:-:*:*:*:*:*:*:*
ciscocatalyst_3650-12x48uz-cpe:2.3:h:cisco:catalyst_3650-12x48uz:-:*:*:*:*:*:*:*
ciscocatalyst_3650-24pd-cpe:2.3:h:cisco:catalyst_3650-24pd:-:*:*:*:*:*:*:*
ciscocatalyst_3650-24pdm-cpe:2.3:h:cisco:catalyst_3650-24pdm:-:*:*:*:*:*:*:*
ciscocatalyst_3650-48fq-cpe:2.3:h:cisco:catalyst_3650-48fq:-:*:*:*:*:*:*:*
ciscocatalyst_3650-48fqm-cpe:2.3:h:cisco:catalyst_3650-48fqm:-:*:*:*:*:*:*:*
ciscocatalyst_3650-8x24uq-cpe:2.3:h:cisco:catalyst_3650-8x24uq:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	ios_xe	*	cpe:2.3:o:cisco:ios_xe::::::::
cisco	5760_wireless_lan_controller	-	cpe:2.3:h:cisco:5760_wireless_lan_controller:-:::::::*
cisco	catalyst_3650-12x48uq	-	cpe:2.3:h:cisco:catalyst_3650-12x48uq:-:::::::*
cisco	catalyst_3650-12x48ur	-	cpe:2.3:h:cisco:catalyst_3650-12x48ur:-:::::::*
cisco	catalyst_3650-12x48uz	-	cpe:2.3:h:cisco:catalyst_3650-12x48uz:-:::::::*
cisco	catalyst_3650-24pd	-	cpe:2.3:h:cisco:catalyst_3650-24pd:-:::::::*
cisco	catalyst_3650-24pdm	-	cpe:2.3:h:cisco:catalyst_3650-24pdm:-:::::::*
cisco	catalyst_3650-48fq	-	cpe:2.3:h:cisco:catalyst_3650-48fq:-:::::::*
cisco	catalyst_3650-48fqm	-	cpe:2.3:h:cisco:catalyst_3650-48fqm:-:::::::*
cisco	catalyst_3650-8x24uq	-	cpe:2.3:h:cisco:catalyst_3650-8x24uq:-:::::::*

Rows per page:

1-10 of 191

CNA Affected

[
  {
    "product": "Cisco IOS XE Software",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "3.xE"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-iosxe-ngwc-csrf

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

51.2%

JSON

Related for CVE-2019-12624