OpenCVE

A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled. The default state of the HTTP Server feature is version dependent.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Cisco	4321 Integrated Services Router 4331 Integrated Services Router 4351 Integrated Services Router 4431 Integrated Services Router 4451-x Integrated Services Router Asr 1000 Series Route Processor \(rp2\) Asr 1001-x Asr 1002-hx Asr 1002-x Cloud Services Router 1000v Ios Xe

Configuration 1 [-]

AND

cpe:2.3:h:cisco:4321_integrated_services_router:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

Configuration 2 [-]

AND

cpe:2.3:h:cisco:4331_integrated_services_router:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

Configuration 3 [-]

AND

cpe:2.3:h:cisco:asr_1002-x:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

Configuration 4 [-]

AND

cpe:2.3:h:cisco:4431_integrated_services_router:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

Configuration 5 [-]

AND

cpe:2.3:h:cisco:cloud_services_router_1000v:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

Configuration 6 [-]

AND

cpe:2.3:h:cisco:asr_1000_series_route_processor_\(rp2\):-:*:*:*:*:*:*:*

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

Configuration 7 [-]

AND

cpe:2.3:h:cisco:4351_integrated_services_router:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

Configuration 8 [-]

AND

cpe:2.3:h:cisco:4451-x_integrated_services_router:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

Configuration 9 [-]

AND

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

cpe:2.3:h:cisco:asr_1002-hx:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

OR	cpe:2.3:o:cisco:ios_xe:16.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.1:::::::*

cpe:2.3:h:cisco:asr_1001-x:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190612-iosxe-csrf

History

Wed, 20 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2019-06-21T02:20:12

Updated: 2024-11-20T17:16:23.786Z

Reserved: 2018-12-06T00:00:00

Link: CVE-2019-1904

Vulnrichment

Updated: 2024-08-04T18:35:52.014Z

NVD

Status : Analyzed

Published: 2019-06-21T03:15:09.513

Modified: 2021-10-18T12:04:49.910

Link: CVE-2019-1904

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object