CVE-2018-0269
published 2018-04-19CVE-2018-0269: A vulnerability in the web framework of the Cisco Digital Network Architecture Center (DNA Center) could allow an unauthenticated, remote attacker to…
PriorityP422medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
1.32%
67.3th percentile
A vulnerability in the web framework of the Cisco Digital Network Architecture Center (DNA Center) could allow an unauthenticated, remote attacker to communicate with the Kong API server without restriction. The vulnerability is due to an overly permissive Cross Origin Resource Sharing (CORS) policy. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. An exploit could allow the attacker to communicate with the API and exfiltrate sensitive information. Cisco Bug IDs: CSCvh99208.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | digital_network_architecture_center | — | — |
| cisco | dna_center_cross_origin_resource_sharing | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_cisco5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco DNA Center Cross Origin Resource Sharing Vulnerability
vendor_cisco·2018-04-18·CVSS 5.4
CVE-2018-0269 [MEDIUM] CWE-200 Cisco DNA Center Cross Origin Resource Sharing Vulnerability
Cisco DNA Center Cross Origin Resource Sharing Vulnerability
A vulnerability in the web framework of the Cisco Digital Network Architecture Center (DNA Center) could allow an unauthenticated, remote attacker to communicate with the Kong API server without restriction.
The vulnerability is due to an overly permissive Cross Origin Resource Sharing (CORS) policy. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. An exploit could allow the attacker to communicate with the API and exfiltrate sensitive information.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-dna1
Cisco
Cisco DNA Center Cross Origin Resource Sharing Vulnerability
vendor_cisco·CVSS 3.0
CVE-2018-0269 Cisco DNA Center Cross Origin Resource Sharing Vulnerability
CVE-2018-0269: Cisco DNA Center Cross Origin Resource Sharing Vulnerability
A vulnerability in the web framework of the Cisco Digital Network Architecture Center (DNA Center) could allow an unauthenticated, remote attacker to communicate with the Kong API server without restriction. The vulnerability is due to an overly permissive Cross Origin Resource Sharing (CORS) policy. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. An exploit could allow the attacker to communicate with the API and exfiltrate sensitive information. There are no
CVSS: 3.0
CWE: CWE-200, CWE-200
Bug IDs: CSCvh99208
GHSA
GHSA-66mm-frqr-r7x4: A vulnerability in the web framework of the Cisco Digital Network Architecture Center (DNA Center) could allow an unauthenticated, remote attacker to
ghsa_unreviewed·2022-05-13
CVE-2018-0269 [MEDIUM] CWE-863 GHSA-66mm-frqr-r7x4: A vulnerability in the web framework of the Cisco Digital Network Architecture Center (DNA Center) could allow an unauthenticated, remote attacker to
A vulnerability in the web framework of the Cisco Digital Network Architecture Center (DNA Center) could allow an unauthenticated, remote attacker to communicate with the Kong API server without restriction. The vulnerability is due to an overly permissive Cross Origin Resource Sharing (CORS) policy. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. An exploit could allow the attacker to communicate with the API and exfiltrate sensitive information. Cisco Bug IDs: CSCvh99208.
No detection rules found.
No public exploits indexed.
2018-04-19
Published