Sign-up

ID

VAR-201811-0181


CVE

CVE-2018-15445


TITLE

Cisco Energy Management Suite Software Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2018-011647

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Energy Management Suite Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. Cisco Energy Management Suite is prone to a cross-site request-forgery vulnerability. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCvm29341. This product is mainly used to manage energy management of network equipment, etc

Trust: 1.98

sources: NVD: CVE-2018-15445 // JVNDB: JVNDB-2018-011647 // BID: 105859 // VULHUB: VHN-125705

AFFECTED PRODUCTS

vendor:ciscomodel:energy management suite softwarescope:eqversion: -

Trust: 1.6

vendor:ciscomodel:energy management suite softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:energy management suitescope:eqversion:5.2.2

Trust: 0.3

vendor:ciscomodel:energy management suitescope:eqversion:5.2

Trust: 0.3

vendor:ciscomodel:energy management suitescope:eqversion:4.4

Trust: 0.3

sources: BID: 105859 // JVNDB: JVNDB-2018-011647 // CNNVD: CNNVD-201811-192 // NVD: CVE-2018-15445

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15445
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2018-15445
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-15445
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201811-192
value: HIGH

Trust: 0.6

VULHUB: VHN-125705
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-15445
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125705
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15445
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.0

Trust: 1.8

ykramarz@cisco.com: CVE-2018-15445
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 4.2
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-125705 // JVNDB: JVNDB-2018-011647 // CNNVD: CNNVD-201811-192 // NVD: CVE-2018-15445 // NVD: CVE-2018-15445

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-125705 // JVNDB: JVNDB-2018-011647 // NVD: CVE-2018-15445

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-192

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201811-192

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-011647

PATCH
title:cisco-sa-20181107-ems-csrfurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-ems-csrf
Trust: 0.8
title:Cisco Energy Management Suite Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86663
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-011647 // 
            
            
            
            CNNVD: CNNVD-201811-192

EXTERNAL IDS
db:NVDid:CVE-2018-15445
Trust: 2.8
db:BIDid:105859
Trust: 2.0
db:TENABLEid:TRA-2018-36
Trust: 1.7
db:JVNDBid:JVNDB-2018-011647
Trust: 0.8
db:CNNVDid:CNNVD-201811-192
Trust: 0.7
db:VULHUBid:VHN-125705
Trust: 0.1
sources:
            
            
            VULHUB: VHN-125705 // 
            
            
            
            BID: 105859 // 
            
            
            
            JVNDB: JVNDB-2018-011647 // 
            
            
            
            CNNVD: CNNVD-201811-192 // 
            
            
            
            NVD: CVE-2018-15445

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181107-ems-csrf
Trust: 2.6
url:http://www.securityfocus.com/bid/105859
Trust: 1.7
url:https://www.tenable.com/security/research/tra-2018-36
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15445
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-15445
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-125705 // 
            
            
            
            BID: 105859 // 
            
            
            
            JVNDB: JVNDB-2018-011647 // 
            
            
            
            CNNVD: CNNVD-201811-192 // 
            
            
            
            NVD: CVE-2018-15445

CREDITS
Cisco would like to thank Chris Lyne from Tenable for reporting this vulnerability.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201811-192

SOURCES
db:VULHUBid:VHN-125705
db:BIDid:105859
db:JVNDBid:JVNDB-2018-011647
db:CNNVDid:CNNVD-201811-192
db:NVDid:CVE-2018-15445

LAST UPDATE DATE
2024-11-23T22:45:09.305000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-125705date:2019-10-09T00:00:00
db:BIDid:105859date:2018-11-07T00:00:00
db:JVNDBid:JVNDB-2018-011647date:2019-01-18T00:00:00
db:CNNVDid:CNNVD-201811-192date:2019-10-17T00:00:00
db:NVDid:CVE-2018-15445date:2024-11-21T03:50:49.113

SOURCES RELEASE DATE
db:VULHUBid:VHN-125705date:2018-11-08T00:00:00
db:BIDid:105859date:2018-11-07T00:00:00
db:JVNDBid:JVNDB-2018-011647date:2019-01-18T00:00:00
db:CNNVDid:CNNVD-201811-192date:2018-11-08T00:00:00
db:NVDid:CVE-2018-15445date:2018-11-08T18:29:00.367