CVE-2019-1733

Cisco NX-OS Software NX-API Sandbox Cross-Site Scripting Vulnerability

Severity Score

5.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the NX API (NX-API) Sandbox interface for Cisco NX-OS Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the NX-API Sandbox interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the NX-API Sandbox interface. An attacker could exploit this vulnerability by persuading a user of the NX-API Sandbox interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected NX-API Sandbox interface.

Una vulnerabilidad en la NX API (NX-API) Sandbox para el programa NX-OS de Cisco podría permitir a un atacante remoto autorizado realizar un ataque de tipo cross-site scripting (XSS) contra un usuario de la NX-API en la interfaz Sandbox de un dispositivo afectado. La vulnerabilidad se debe a una comprobación insuficiente de la entrada proporcionada por el usuario por la interfaz de NX-API Sandbox. Un atacante podría explotar esta vulnerabilidad al persuadir a un usuario de la interfaz de NX-API Sandbox para que haga clic en un enlace creado. Una explotación con éxito podría permitir al atacante ejecutar un código de script arbitrario en el contexto de la interfaz de NX-API Sandbox afectada.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-12-06 CVE Reserved
2019-05-15 CVE Published
2023-03-08 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source
http://www.securityfocus.com/bid/108348	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-nxapi-xss	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3000 Search vendor "Cisco" for product "Nexus 3000"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3100 Search vendor "Cisco" for product "Nexus 3100"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3100-z Search vendor "Cisco" for product "Nexus 3100-z"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3100v Search vendor "Cisco" for product "Nexus 3100v"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3200 Search vendor "Cisco" for product "Nexus 3200"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3400 Search vendor "Cisco" for product "Nexus 3400"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3500 Search vendor "Cisco" for product "Nexus 3500"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3524-x Search vendor "Cisco" for product "Nexus 3524-x"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3524-xl Search vendor "Cisco" for product "Nexus 3524-xl"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3548-x Search vendor "Cisco" for product "Nexus 3548-x"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3548-xl Search vendor "Cisco" for product "Nexus 3548-xl"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 3600 Search vendor "Cisco" for product "Nexus 3600"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 9000 Search vendor "Cisco" for product "Nexus 9000"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 9200 Search vendor "Cisco" for product "Nexus 9200"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 9300 Search vendor "Cisco" for product "Nexus 9300"	-	-	Safe
Cisco Search vendor "Cisco"	Nx-os Search vendor "Cisco" for product "Nx-os"	>= 7.0\(3\)i7 < 7.0\(3\)i7\(4\) Search vendor "Cisco" for product "Nx-os" and version " >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)"	-	Affected	in	Cisco Search vendor "Cisco"	Nexus 9500 Search vendor "Cisco" for product "Nexus 9500"	-	-	Safe