CVE-2019-12624
Cisco IOS XE NGWC Legacy Wireless Device Manager GUI Cross-Site Request Forgery Vulnerability
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user.
Una vulnerabilidad en la interfaz de administración basada en la web del Controlador inalámbrico de nueva generación Cisco IOS XE (NGWC) podría permitir que un atacante remoto no autenticado realice un ataque de falsificación de solicitud entre sitios (CSRF) y realice acciones arbitrarias en un dispositivo afectado. La vulnerabilidad se debe a las insuficientes protecciones CSRF para la interfaz de administración basada en web del software afectado. Un atacante podría aprovechar esta vulnerabilidad persuadiendo a un usuario de la interfaz para que siga un enlace diseñado. Una explotación exitosa podría permitir al atacante realizar acciones arbitrarias en un dispositivo afectado mediante el uso de un navegador web y con los privilegios del usuario.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-06-04 CVE Reserved
- 2019-07-24 First Exploit
- 2019-08-21 CVE Published
- 2023-09-30 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (2)
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | 5760 Wireless Lan Controller Search vendor "Cisco" for product "5760 Wireless Lan Controller" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3650-12x48uq Search vendor "Cisco" for product "Catalyst 3650-12x48uq" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3650-12x48ur Search vendor "Cisco" for product "Catalyst 3650-12x48ur" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3650-12x48uz Search vendor "Cisco" for product "Catalyst 3650-12x48uz" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3650-24pd Search vendor "Cisco" for product "Catalyst 3650-24pd" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3650-24pdm Search vendor "Cisco" for product "Catalyst 3650-24pdm" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3650-48fq Search vendor "Cisco" for product "Catalyst 3650-48fq" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3650-48fqm Search vendor "Cisco" for product "Catalyst 3650-48fqm" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3650-8x24uq Search vendor "Cisco" for product "Catalyst 3650-8x24uq" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3850-12x48u Search vendor "Cisco" for product "Catalyst 3850-12x48u" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3850-24u Search vendor "Cisco" for product "Catalyst 3850-24u" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3850-24xs Search vendor "Cisco" for product "Catalyst 3850-24xs" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3850-24xu Search vendor "Cisco" for product "Catalyst 3850-24xu" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3850-48u Search vendor "Cisco" for product "Catalyst 3850-48u" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3850-48xs Search vendor "Cisco" for product "Catalyst 3850-48xs" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3850-nm-2-40g Search vendor "Cisco" for product "Catalyst 3850-nm-2-40g" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 3850-nm-8-10g Search vendor "Cisco" for product "Catalyst 3850-nm-8-10g" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Ios Xe Search vendor "Cisco" for product "Ios Xe" | >= 3.0.xe <= 3.11.xe Search vendor "Cisco" for product "Ios Xe" and version " >= 3.0.xe <= 3.11.xe" | - |
Affected
| in | Cisco Search vendor "Cisco" | Catalyst 4500e Supervisor Engine 8-e Search vendor "Cisco" for product "Catalyst 4500e Supervisor Engine 8-e" | - | - |
Safe
|