Lucene search

[email protected]CVE-2019-1904

HistoryJun 21, 2019 - 3:15 a.m.

CVE-2019-1904

2019-06-2103:15:09

CWE-352

[email protected]

web.nvd.nist.gov

299

cisco

ios xe

software

vulnerability

cve-2019-1904

csrf

cross-site request forgery

security

nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.9%

JSON

A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled. The default state of the HTTP Server feature is version dependent.

Affected configurations

NVD

Node

cisco4321_integrated_services_routerMatch-

AND

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

Node

cisco4331_integrated_services_routerMatch-

AND

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

Node

ciscoasr_1002-xMatch-

AND

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

Node

cisco4431_integrated_services_routerMatch-

AND

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

Node

ciscocloud_services_router_1000vMatch-

AND

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

Node

ciscoasr_1000_series_route_processor_\(rp2\)Match-

AND

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

Node

cisco4351_integrated_services_routerMatch-

AND

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

Node

cisco4451-x_integrated_services_routerMatch-

AND

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

Node

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

AND

ciscoasr_1002-hxMatch-

Node

ciscoios_xeMatch16.1.3

ciscoios_xeMatch16.2.1

ciscoios_xeMatch16.3.1

AND

ciscoasr_1001-xMatch-

CPENameOperatorVersion
cisco:ios_xecisco ios xeeq16.1.3
cisco:ios_xecisco ios xeeq16.2.1
cisco:ios_xecisco ios xeeq16.3.1

CPE	Name	Operator	Version
cisco:ios_xe	cisco ios xe	eq	16.1.3
cisco:ios_xe	cisco ios xe	eq	16.2.1
cisco:ios_xe	cisco ios xe	eq	16.3.1

CNA Affected

[
  {
    "product": "Cisco IOS XE Software",
    "vendor": "Cisco",
    "versions": [
      {
        "lessThan": "16.4.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190612-iosxe-csrf

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.9%

JSON

Related for CVE-2019-1904

cvelist1 threatpost1 prion1 nvd1 nessus1 cisco1