Sign-up

ID

VAR-201702-0805


CVE

CVE-2017-3838


TITLE

Cisco Secure Access Control System In DOM -Based cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-001633

DESCRIPTION

A vulnerability in Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to conduct a DOM-based cross-site scripting (XSS) attack against the user of the web interface of the affected system. More Information: CSCvc04838. Known Affected Releases: 5.8(2.5). Vendors have confirmed this vulnerability Bug CSCvc04838 It is released as.Of the affected system by a remote attacker. Web For interface users, DOM Based XSS An attack may be executed. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvc04838. The system can respectively control network access and network device access through RADIUS and TACACS protocols. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2017-3838 // JVNDB: JVNDB-2017-001633 // BID: 96234 // VULHUB: VHN-112041

AFFECTED PRODUCTS

vendor:ciscomodel:secure access control systemscope:eqversion:5.8\(2.5\)

Trust: 1.6

vendor:ciscomodel:secure access control system softwarescope:eqversion:5.8(2.5)

Trust: 0.8

vendor:ciscomodel:secure access control systemscope:eqversion:5.8(2.5)

Trust: 0.3

sources: BID: 96234 // JVNDB: JVNDB-2017-001633 // NVD: CVE-2017-3838 // CNNVD: CNNVD-201702-656

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2017-3838
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-201702-656
value: MEDIUM

Trust: 0.6

VULHUB: VHN-112041
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: TRUE
version: 2.0

Trust: 1.0

NVD: CVE-2017-3838
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-112041
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.0

NVD: CVE-2017-3838
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-112041 // JVNDB: JVNDB-2017-001633 // NVD: CVE-2017-3838 // CNNVD: CNNVD-201702-656

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-112041 // JVNDB: JVNDB-2017-001633 // NVD: CVE-2017-3838

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-656

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201702-656

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2017-3838

PATCH
title:cisco-sa-20170215-acsurl:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-acs
Trust: 0.8
title:Cisco Secure Access Control System Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=68175
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-001633 // 
            
            
            
            CNNVD: CNNVD-201702-656

EXTERNAL IDS
db:NVDid:CVE-2017-3838
Trust: 2.8
db:BIDid:96234
Trust: 2.0
db:SECTRACKid:1037835
Trust: 1.1
db:JVNDBid:JVNDB-2017-001633
Trust: 0.8
db:CNNVDid:CNNVD-201702-656
Trust: 0.7
db:VULHUBid:VHN-112041
Trust: 0.1
sources:
            
            
            VULHUB: VHN-112041 // 
            
            
            
            BID: 96234 // 
            
            
            
            JVNDB: JVNDB-2017-001633 // 
            
            
            
            NVD: CVE-2017-3838 // 
            
            
            
            CNNVD: CNNVD-201702-656

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170215-acs
Trust: 2.0
url:http://www.securityfocus.com/bid/96234
Trust: 1.7
url:http://www.securitytracker.com/id/1037835
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3838
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-3838
Trust: 0.8
url:http://www.cisco.com/en/us/products/ps9911/index.html
Trust: 0.3
sources:
            
            
            VULHUB: VHN-112041 // 
            
            
            
            BID: 96234 // 
            
            
            
            JVNDB: JVNDB-2017-001633 // 
            
            
            
            NVD: CVE-2017-3838 // 
            
            
            
            CNNVD: CNNVD-201702-656

CREDITS
Cisco
Trust: 0.9
sources:
            
            
            BID: 96234 // 
            
            
            
            CNNVD: CNNVD-201702-656

SOURCES
db:VULHUBid:VHN-112041
db:BIDid:96234
db:JVNDBid:JVNDB-2017-001633
db:NVDid:CVE-2017-3838
db:CNNVDid:CNNVD-201702-656

LAST UPDATE DATE
2023-12-18T13:34:19.360000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-112041date:2017-07-25T00:00:00
db:BIDid:96234date:2017-03-07T03:03:00
db:JVNDBid:JVNDB-2017-001633date:2017-03-10T00:00:00
db:NVDid:CVE-2017-3838date:2017-07-25T01:29:09.233
db:CNNVDid:CNNVD-201702-656date:2017-02-22T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-112041date:2017-02-22T00:00:00
db:BIDid:96234date:2017-02-15T00:00:00
db:JVNDBid:JVNDB-2017-001633date:2017-03-10T00:00:00
db:NVDid:CVE-2017-3838date:2017-02-22T02:59:00.480
db:CNNVDid:CNNVD-201702-656date:2017-02-22T00:00:00