Cisco Secure ACS Portal Session Management Vulnerability

ID CISCO-SA-20140127-CVE-2014-0678
Type cisco
Reporter Cisco
Modified 2014-01-27T14:19:58


A vulnerability in the portal interface of Cisco Secure Access Control System (ACS) could allow an authenticated, remote attacker to access the portal with the access capabilities of another user.

The vulnerability is due to insufficient session management in the portal. An attacker could exploit this vulnerability by hijacking the session of a previously authenticated user. An exploit could allow the attacker to perform actions in the portal with the privileges of another user.

Cisco has confirmed the vulnerability in a security notice and released software updates.

To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement decreases the likelihood of a successful exploit.