CVE-2024-20414Improper Authorization in Cisco IOS XE Software

CWE-285Improper AuthorizationCWE-352Cross-Site Request Forgery4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 44.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cisco IOS XE SoftwareCisco IOSCisco IOS XE
Timeline
PublishedSep 25

Description

A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system through the web UI. This vulnerability is due to incorrectly accepting configuration changes through the HTTP GET method. An attacker could exploit this vulnerability by persuading a currently authenticated administrator to follow a crafted link. A successful exploit could allow the attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5cisco/cisco_ios_xe_software431 versions+430
CVEListV5cisco/ios30 versions+29
NVDcisco/ios30 versions+29
NVDcisco/ios_xe431 versions+430

🔴Vulnerability Details

2
GHSA
GHSA-m9jx-f6w8-8hj9: A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cro2024-09-25
CVEList
CVE-2024-20414: A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cro2024-09-25

📋Vendor Advisories

1
Cisco
Cisco IOS and IOS XE Software Web UI Cross-Site Request Forgery Vulnerability2024-09-25
CVE-2024-20414 — Improper Authorization in Cisco | cvebase