Sign-up

ID

VAR-201804-1001


CVE

CVE-2018-0255


TITLE

Cisco IOS Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2018-004351

DESCRIPTION

A vulnerability in the device manager web interface of Cisco Industrial Ethernet Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected system. The vulnerability is due to insufficient CSRF protection by the device manager web interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow the attacker to submit arbitrary requests to an affected device via the device manager web interface with the privileges of the user. This vulnerability affects the following Cisco Industrial Ethernet (IE) Switches if they are running a vulnerable release of Cisco IOS Software: IE 2000 Series, IE 2000U Series, IE 3000 Series, IE 3010 Series, IE 4000 Series, IE 4010 Series, IE 5000 Series. Cisco Bug IDs: CSCvc96405. Cisco IOS Contains a cross-site request forgery vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvc96405 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 2.52

sources: NVD: CVE-2018-0255 // JVNDB: JVNDB-2018-004351 // CNVD: CNVD-2018-09787 // IVD: e2ef5f81-39ab-11e9-a334-000c29342cb1 // VULHUB: VHN-118457 // VULMON: CVE-2018-0255

IOT TAXONOMY

category:['IoT', 'ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: e2ef5f81-39ab-11e9-a334-000c29342cb1 // CNVD: CNVD-2018-09787

AFFECTED PRODUCTS

vendor:ciscomodel:iosscope:eqversion:15.2\(5\)e

Trust: 1.6

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

vendor:ciscomodel:iescope:eqversion:5000

Trust: 0.6

vendor:ciscomodel:iescope:eqversion:4010

Trust: 0.6

vendor:ciscomodel:iescope:eqversion:4000

Trust: 0.6

vendor:ciscomodel:iescope:eqversion:3010

Trust: 0.6

vendor:ciscomodel:iescope:eqversion:3000

Trust: 0.6

vendor:ciscomodel:iescope:eqversion:2000

Trust: 0.6

vendor:ciscomodel:ie 2000uscope: - version: -

Trust: 0.6

vendor:iosmodel:15.2 escope: - version: -

Trust: 0.2

sources: IVD: e2ef5f81-39ab-11e9-a334-000c29342cb1 // CNVD: CNVD-2018-09787 // JVNDB: JVNDB-2018-004351 // CNNVD: CNNVD-201804-1095 // NVD: CVE-2018-0255

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0255
value: HIGH

Trust: 1.0

NVD: CVE-2018-0255
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-09787
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201804-1095
value: HIGH

Trust: 0.6

IVD: e2ef5f81-39ab-11e9-a334-000c29342cb1
value: HIGH

Trust: 0.2

VULHUB: VHN-118457
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-0255
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-0255
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2018-09787
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2ef5f81-39ab-11e9-a334-000c29342cb1
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-118457
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0255
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: e2ef5f81-39ab-11e9-a334-000c29342cb1 // CNVD: CNVD-2018-09787 // VULHUB: VHN-118457 // VULMON: CVE-2018-0255 // JVNDB: JVNDB-2018-004351 // CNNVD: CNNVD-201804-1095 // NVD: CVE-2018-0255

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-118457 // JVNDB: JVNDB-2018-004351 // NVD: CVE-2018-0255

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-1095

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201804-1095

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-004351

PATCH
title:cisco-sa-20180418-iessurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-iess
Trust: 0.8
title:Patches for multiple CiscoIndustrialEthernet switches across site request forgery vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/129547
Trust: 0.6
title:Multiple Cisco Industrial Ethernet Repair measures for switch cross-site request forgery vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81390
Trust: 0.6
title:Cisco: Cisco Industrial Ethernet Switches Device Manager Cross-Site Request Forgery Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20180418-iess
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-09787 // 
            
            
            
            VULMON: CVE-2018-0255 // 
            
            
            
            JVNDB: JVNDB-2018-004351 // 
            
            
            
            CNNVD: CNNVD-201804-1095

EXTERNAL IDS
db:NVDid:CVE-2018-0255
Trust: 3.4
db:SECTRACKid:1040715
Trust: 2.4
db:CNVDid:CNVD-2018-09787
Trust: 0.8
db:CNNVDid:CNNVD-201804-1095
Trust: 0.8
db:JVNDBid:JVNDB-2018-004351
Trust: 0.8
db:IVDid:E2EF5F81-39AB-11E9-A334-000C29342CB1
Trust: 0.2
db:VULHUBid:VHN-118457
Trust: 0.1
db:VULMONid:CVE-2018-0255
Trust: 0.1
sources:
            
            
            IVD: e2ef5f81-39ab-11e9-a334-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-09787 // 
            
            
            
            VULHUB: VHN-118457 // 
            
            
            
            VULMON: CVE-2018-0255 // 
            
            
            
            JVNDB: JVNDB-2018-004351 // 
            
            
            
            CNNVD: CNNVD-201804-1095 // 
            
            
            
            NVD: CVE-2018-0255

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180418-iess
Trust: 1.9
url:http://www.securitytracker.com/id/1040715
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0255
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0255
Trust: 0.8
url:https://securitytracker.com/id/1040715
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/352.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-09787 // 
            
            
            
            VULHUB: VHN-118457 // 
            
            
            
            VULMON: CVE-2018-0255 // 
            
            
            
            JVNDB: JVNDB-2018-004351 // 
            
            
            
            CNNVD: CNNVD-201804-1095 // 
            
            
            
            NVD: CVE-2018-0255

SOURCES
db:IVDid:e2ef5f81-39ab-11e9-a334-000c29342cb1
db:CNVDid:CNVD-2018-09787
db:VULHUBid:VHN-118457
db:VULMONid:CVE-2018-0255
db:JVNDBid:JVNDB-2018-004351
db:CNNVDid:CNNVD-201804-1095
db:NVDid:CVE-2018-0255

LAST UPDATE DATE
2024-11-23T21:53:15.685000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-09787date:2018-05-18T00:00:00
db:VULHUBid:VHN-118457date:2019-10-09T00:00:00
db:VULMONid:CVE-2018-0255date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-004351date:2018-06-18T00:00:00
db:CNNVDid:CNNVD-201804-1095date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0255date:2024-11-21T03:37:49.590

SOURCES RELEASE DATE
db:IVDid:e2ef5f81-39ab-11e9-a334-000c29342cb1date:2018-05-18T00:00:00
db:CNVDid:CNVD-2018-09787date:2018-05-18T00:00:00
db:VULHUBid:VHN-118457date:2018-04-19T00:00:00
db:VULMONid:CVE-2018-0255date:2018-04-19T00:00:00
db:JVNDBid:JVNDB-2018-004351date:2018-06-18T00:00:00
db:CNNVDid:CNNVD-201804-1095date:2018-04-19T00:00:00
db:NVDid:CVE-2018-0255date:2018-04-19T20:29:01.177