Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-16009

A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device.

Published

2020-09-23T01:15:13.707

Last Modified

2024-11-21T04:29:55.320

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

4.9

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-352
Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	ios	< 16.1.1	Yes
Operating System	cisco	ios_xe	< 16.1.1	Yes

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ios-csrf Vendor Advisory ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ios-csrf Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)