CVE-2018-0152Insufficient Session Expiration in Cisco IOS XE Software

CWE-264CWE-613Insufficient Session Expiration4 documents4 sources
Severity
8.8HIGHNVD
EPSS
2.0%
top 16.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 28
Latest updateMay 13

Description

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability exists because the affected software does not reset the privilege level for each web UI session. An attacker who has valid credentials for an affected device could exploit this vulnerability by remotely accessing a VTY line to the device. A successful exploit could allow the attacker to access an affec

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_softwareCisco IOS XE Software
NVDcisco/ios_xe16.1.1

🔴Vulnerability Details

2
GHSA
GHSA-4jvx-6g9p-mgxw: A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privi2022-05-13
CVEList
CVE-2018-0152: A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privi2018-03-28

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Web UI Remote Access Privilege Escalation Vulnerability2018-03-28
CVE-2018-0152 — Insufficient Session Expiration | cvebase