// For flags

CVE-2019-12624

Cisco IOS XE NGWC Legacy Wireless Device Manager GUI Cross-Site Request Forgery Vulnerability

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user.

Una vulnerabilidad en la interfaz de administración basada en la web del Controlador inalámbrico de nueva generación Cisco IOS XE (NGWC) podría permitir que un atacante remoto no autenticado realice un ataque de falsificación de solicitud entre sitios (CSRF) y realice acciones arbitrarias en un dispositivo afectado. La vulnerabilidad se debe a las insuficientes protecciones CSRF para la interfaz de administración basada en web del software afectado. Un atacante podría aprovechar esta vulnerabilidad persuadiendo a un usuario de la interfaz para que siga un enlace diseñado. Una explotación exitosa podría permitir al atacante realizar acciones arbitrarias en un dispositivo afectado mediante el uso de un navegador web y con los privilegios del usuario.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2019-06-04 CVE Reserved
  • 2019-07-24 First Exploit
  • 2019-08-21 CVE Published
  • 2023-09-30 EPSS Updated
  • 2024-11-20 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
5760 Wireless Lan Controller
Search vendor "Cisco" for product "5760 Wireless Lan Controller"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3650-12x48uq
Search vendor "Cisco" for product "Catalyst 3650-12x48uq"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3650-12x48ur
Search vendor "Cisco" for product "Catalyst 3650-12x48ur"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3650-12x48uz
Search vendor "Cisco" for product "Catalyst 3650-12x48uz"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3650-24pd
Search vendor "Cisco" for product "Catalyst 3650-24pd"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3650-24pdm
Search vendor "Cisco" for product "Catalyst 3650-24pdm"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3650-48fq
Search vendor "Cisco" for product "Catalyst 3650-48fq"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3650-48fqm
Search vendor "Cisco" for product "Catalyst 3650-48fqm"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3650-8x24uq
Search vendor "Cisco" for product "Catalyst 3650-8x24uq"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3850-12x48u
Search vendor "Cisco" for product "Catalyst 3850-12x48u"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3850-24u
Search vendor "Cisco" for product "Catalyst 3850-24u"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3850-24xs
Search vendor "Cisco" for product "Catalyst 3850-24xs"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3850-24xu
Search vendor "Cisco" for product "Catalyst 3850-24xu"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3850-48u
Search vendor "Cisco" for product "Catalyst 3850-48u"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3850-48xs
Search vendor "Cisco" for product "Catalyst 3850-48xs"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3850-nm-2-40g
Search vendor "Cisco" for product "Catalyst 3850-nm-2-40g"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 3850-nm-8-10g
Search vendor "Cisco" for product "Catalyst 3850-nm-8-10g"
--
Safe
Cisco
Search vendor "Cisco"
Ios Xe
Search vendor "Cisco" for product "Ios Xe"
>= 3.0.xe <= 3.11.xe
Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe"
-
Affected
in Cisco
Search vendor "Cisco"
Catalyst 4500e Supervisor Engine 8-e
Search vendor "Cisco" for product "Catalyst 4500e Supervisor Engine 8-e"
--
Safe