{"containers": {"cna": {"affected": [{"product": "Cisco Prime Network Registrar", "vendor": "Cisco", "versions": [{"lessThan": "n/a", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-03-04T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based interface of Cisco Prime Network Registrar (CPNR) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections in the web-based interface. An attacker could exploit this vulnerability by persuading a targeted user, with an active administrative session on the affected device, to click a malicious link. A successful exploit could allow an attacker to change the device's configuration, which could include the ability to edit or create user accounts of any privilege level. Some changes to the device's configuration could negatively impact the availability of networking services for other devices on networks managed by CPNR."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-04T18:40:27", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20200304 Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpnr-csrf-WWTrDkyL"}], "source": {"advisory": "cisco-sa-cpnr-csrf-WWTrDkyL", "defect": [["CSCvm39026", "CSCvo69922"]], "discovery": "INTERNAL"}, "title": "Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2020-03-04T16:00:00-0800", "ID": "CVE-2020-3148", "STATE": "PUBLIC", "TITLE": "Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Prime Network Registrar", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web-based interface of Cisco Prime Network Registrar (CPNR) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections in the web-based interface. An attacker could exploit this vulnerability by persuading a targeted user, with an active administrative session on the affected device, to click a malicious link. A successful exploit could allow an attacker to change the device's configuration, which could include the ability to edit or create user accounts of any privilege level. Some changes to the device's configuration could negatively impact the availability of networking services for other devices on networks managed by CPNR."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "impact": {"cvss": {"baseScore": "7.1", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352"}]}]}, "references": {"reference_data": [{"name": "20200304 Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpnr-csrf-WWTrDkyL"}]}, "source": {"advisory": "cisco-sa-cpnr-csrf-WWTrDkyL", "defect": [["CSCvm39026", "CSCvo69922"]], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:24:00.724Z"}, "title": "CVE Program Container", "references": [{"name": "20200304 Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpnr-csrf-WWTrDkyL"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2020-3148", "datePublished": "2020-03-04T18:40:27.491044Z", "dateReserved": "2019-12-12T00:00:00", "dateUpdated": "2024-09-16T23:06:23.323Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:prime_network_registrar:*:*:*:*:*:*:*:*", "matchCriteriaId": "85C4E352-01F6-4388-882E-F7D9BF0840E0", "versionEndExcluding": "10.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based interface of Cisco Prime Network Registrar (CPNR) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections in the web-based interface. An attacker could exploit this vulnerability by persuading a targeted user, with an active administrative session on the affected device, to click a malicious link. A successful exploit could allow an attacker to change the device's configuration, which could include the ability to edit or create user accounts of any privilege level. Some changes to the device's configuration could negatively impact the availability of networking services for other devices on networks managed by CPNR."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz basada en web de Cisco Prime Network Registrar (CPNR), podr\u00eda permitir a un atacante remoto no autenticado llevar a cabo un ataque de tipo cross-site request forgery (CSRF) sobre un sistema afectado. La vulnerabilidad es debido a insuficientes protecciones de CSRF en la interfaz basada en web. Un atacante podr\u00eda explotar esta vulnerabilidad al persuadir a un usuario apuntado, con una sesi\u00f3n administrativa activa en el dispositivo afectado, para hacer clic en un enlace malicioso. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir a un atacante cambiar la configuraci\u00f3n del dispositivo, lo que podr\u00eda incluir la capacidad de editar o crear cuentas de usuario de cualquier nivel de privilegio. Algunos cambios en la configuraci\u00f3n del dispositivo podr\u00edan impactar negativamente la disponibilidad de los servicios de red para otros dispositivos en redes administradas por CPNR."}], "id": "CVE-2020-3148", "lastModified": "2020-03-05T17:47:46.043", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "ykramarz@cisco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-04T19:15:12.587", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cpnr-csrf-WWTrDkyL"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}

{}