Sign-up

ID

VAR-201401-0342


CVE

CVE-2014-0678


TITLE

Cisco Secure Access Control System Portal interface session hijacking vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001255

DESCRIPTION

The portal interface in Cisco Secure Access Control System (ACS) does not properly manage sessions, which allows remote authenticated users to hijack sessions and gain privileges via unspecified vectors, aka Bug ID CSCue65951. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization. Due to insufficient session management in the portal, authenticated remote attackers are allowed to access the portal interface in other user contexts. An authenticated remote attacker can leverage this issue to bypass security restrictions and perform unauthorized actions with the privileges of another user. This may aid in further attacks. This issue is tracked by Cisco Bug ID CSCue65951. The system can respectively control network access and network device access through RADIUS and TACACS protocols

Trust: 2.52

sources: NVD: CVE-2014-0678 // JVNDB: JVNDB-2014-001255 // CNVD: CNVD-2014-00681 // BID: 65144 // VULHUB: VHN-68171

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-00681

AFFECTED PRODUCTS

vendor:ciscomodel:secure access control systemscope:eqversion: -

Trust: 1.6

vendor:ciscomodel:secure access control system softwarescope:lteversion:5.4 (.046.3)

Trust: 0.8

vendor:ciscomodel:secure access control systemscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2014-00681 // JVNDB: JVNDB-2014-001255 // CNNVD: CNNVD-201401-522 // NVD: CVE-2014-0678

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-0678
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-0678
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-00681
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201401-522
value: MEDIUM

Trust: 0.6

VULHUB: VHN-68171
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-0678
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-00681
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-68171
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-00681 // VULHUB: VHN-68171 // JVNDB: JVNDB-2014-001255 // CNNVD: CNNVD-201401-522 // NVD: CVE-2014-0678

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-68171 // JVNDB: JVNDB-2014-001255 // NVD: CVE-2014-0678

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-522

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201401-522

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001255

PATCH
title:Cisco Secure ACS Portal Session Management Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0678
Trust: 0.8
title:32567url:http://tools.cisco.com/security/center/viewAlert.x?alertId=32567
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-001255

EXTERNAL IDS
db:NVDid:CVE-2014-0678
Trust: 3.4
db:BIDid:65144
Trust: 2.0
db:SECUNIAid:56540
Trust: 1.1
db:OSVDBid:102558
Trust: 1.1
db:SECTRACKid:1029688
Trust: 1.1
db:JVNDBid:JVNDB-2014-001255
Trust: 0.8
db:CNNVDid:CNNVD-201401-522
Trust: 0.7
db:CNVDid:CNVD-2014-00681
Trust: 0.6
db:CISCOid:20140124 CISCO SECURE ACS PORTAL SESSION MANAGEMENT VULNERABILITY
Trust: 0.6
db:VULHUBid:VHN-68171
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-00681 // 
            
            
            
            VULHUB: VHN-68171 // 
            
            
            
            BID: 65144 // 
            
            
            
            JVNDB: JVNDB-2014-001255 // 
            
            
            
            CNNVD: CNNVD-201401-522 // 
            
            
            
            NVD: CVE-2014-0678

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-0678
Trust: 2.3
url:http://www.securityfocus.com/bid/65144
Trust: 1.1
url:http://tools.cisco.com/security/center/viewalert.x?alertid=32567
Trust: 1.1
url:http://osvdb.org/102558
Trust: 1.1
url:http://www.securitytracker.com/id/1029688
Trust: 1.1
url:http://secunia.com/advisories/56540
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/90732
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0678
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0678
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-00681 // 
            
            
            
            VULHUB: VHN-68171 // 
            
            
            
            BID: 65144 // 
            
            
            
            JVNDB: JVNDB-2014-001255 // 
            
            
            
            CNNVD: CNNVD-201401-522 // 
            
            
            
            NVD: CVE-2014-0678

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 65144

SOURCES
db:CNVDid:CNVD-2014-00681
db:VULHUBid:VHN-68171
db:BIDid:65144
db:JVNDBid:JVNDB-2014-001255
db:CNNVDid:CNNVD-201401-522
db:NVDid:CVE-2014-0678

LAST UPDATE DATE
2025-04-11T22:59:01.432000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-00681date:2014-01-28T00:00:00
db:VULHUBid:VHN-68171date:2017-08-29T00:00:00
db:BIDid:65144date:2014-01-24T00:00:00
db:JVNDBid:JVNDB-2014-001255date:2014-01-28T00:00:00
db:CNNVDid:CNNVD-201401-522date:2014-01-28T00:00:00
db:NVDid:CVE-2014-0678date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-00681date:2014-01-28T00:00:00
db:VULHUBid:VHN-68171date:2014-01-25T00:00:00
db:BIDid:65144date:2014-01-24T00:00:00
db:JVNDBid:JVNDB-2014-001255date:2014-01-28T00:00:00
db:CNNVDid:CNNVD-201401-522date:2014-01-28T00:00:00
db:NVDid:CVE-2014-0678date:2014-01-25T22:55:03.567