CVE-2019-18375 - OpenCVE

The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Broadcom	Advanced Secure Gateway Symantec Proxysg

Configuration 1 [-]

OR	cpe:2.3:a:broadcom:advanced_secure_gateway::::::::
	cpe:2.3:a:broadcom:advanced_secure_gateway::::::::

Configuration 2 [-]

OR	cpe:2.3:a:broadcom:symantec_proxysg::::::::
	cpe:2.3:a:broadcom:symantec_proxysg::::::::

No data.

References

Link	Providers
https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752

History

No history.

MITRE

Status: PUBLISHED

Assigner: symantec

Published: 2020-04-09T23:16:17

Updated: 2024-08-05T01:54:14.137Z

Reserved: 2019-10-23T00:00:00

Link: CVE-2019-18375

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-10T00:15:11.160

Modified: 2021-07-08T16:37:44.830

Link: CVE-2019-18375

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Symantec Advanced Secure Gateway (ASG) and ProxySG", "vendor": "n/a", "versions": [{"status": "affected", "version": "ASG 6.7.4 prior to 6.7.4.10, ASG 7.x prior to 7.2.0.1, ProxySG 6.7.4 prior to 6.7.4.10, ProxySG 7.x prior to 7.2.0.1"}]}], "descriptions": [{"lang": "en", "value": "The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console."}], "problemTypes": [{"descriptions": [{"description": "Session hijacking", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-09T23:16:17", "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "shortName": "symantec"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@symantec.com", "ID": "CVE-2019-18375", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Symantec Advanced Secure Gateway (ASG) and ProxySG", "version": {"version_data": [{"version_value": "ASG 6.7.4 prior to 6.7.4.10, ASG 7.x prior to 7.2.0.1, ProxySG 6.7.4 prior to 6.7.4.10, ProxySG 7.x prior to 7.2.0.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Session hijacking"}]}]}, "references": {"reference_data": [{"name": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752", "refsource": "MISC", "url": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:54:14.137Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752"}]}]}, "cveMetadata": {"assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5", "assignerShortName": "symantec", "cveId": "CVE-2019-18375", "datePublished": "2020-04-09T23:16:17", "dateReserved": "2019-10-23T00:00:00", "dateUpdated": "2024-08-05T01:54:14.137Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:advanced_secure_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E268AFF2-E368-4574-9CE4-923C9C510E24", "versionEndExcluding": "6.7.4.10", "versionStartIncluding": "6.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:advanced_secure_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED2A0D93-FEEC-43B1-9766-032B87E88C38", "versionEndExcluding": "7.2.0.1", "versionStartIncluding": "7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:broadcom:symantec_proxysg:*:*:*:*:*:*:*:*", "matchCriteriaId": "250EAC78-79F0-4ACF-86DB-54A6826832A8", "versionEndExcluding": "6.7.4.10", "versionStartIncluding": "6.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:broadcom:symantec_proxysg:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C91A22D-A943-4DA8-8557-1B4EDB392D09", "versionEndExcluding": "7.2.0.1", "versionStartIncluding": "7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console."}, {"lang": "es", "value": "Las consolas de administraci\u00f3n de ASG y ProxySG, son susceptibles a una vulnerabilidad de secuestro de sesi\u00f3n. Un atacante remoto, con acceso a la interfaz de administraci\u00f3n del dispositivo, puede secuestrar la sesi\u00f3n de un usuario actualmente registrado y acceder a la consola de administraci\u00f3n."}], "id": "CVE-2019-18375", "lastModified": "2021-07-08T16:37:44.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-10T00:15:11.160", "references": [{"source": "secure@symantec.com", "tags": ["Vendor Advisory"], "url": "https://support.broadcom.com/security-advisory/security-advisory-detail.html?notificationId=SYMSA1752"}], "sourceIdentifier": "secure@symantec.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}