CVE-2019-1904Cross-Site Request Forgery in Cisco IOS XE Software

CWE-352Cross-Site Request ForgeryCWE-284Improper Access Control5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.5%
top 33.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedJun 21
Latest updateMay 24

Description

A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege leve

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_softwareunspecified16.4.1
NVDcisco/ios_xe16.1.3, 16.2.1, 16.3.1+2

🔴Vulnerability Details

2
GHSA
GHSA-mj96-mvxg-hrm7: A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request2022-05-24
CVEList
Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability2019-06-21

📋Vendor Advisories

2
Cisco
Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability2019-06-12
Citrix
CVE-2019-11634: Citrix Workspace App before 1904 for Windows has Incorrect Access Control.2019-05-22
CVE-2019-1904 — Cross-Site Request Forgery in Cisco | cvebase