Details of VAR-202010-1309

ID

VAR-202010-1309

CVE

CVE-2020-3598

TITLE

Cisco Vision Dynamic Signage Director Vulnerability regarding lack of authentication for critical features in

Trust: 0.8

sources: JVNDB: JVNDB-2020-012345

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to access confidential information or make configuration changes. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to read confidential information or make configuration changes. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 1.71

sources: NVD: CVE-2020-3598 // JVNDB: JVNDB-2020-012345 // VULHUB: VHN-181723

AFFECTED PRODUCTS

vendor:	cisco	model:	vision dynamic signage director	scope:	lt	version:	6.2.0	Trust: 1.0
vendor:	cisco	model:	vision dynamic signage director	scope:	eq	version:	6.2.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco vision dynamic signage director	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-012345 // NVD: CVE-2020-3598

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3598
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3598
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-3598
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202010-223
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-181723
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3598
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-181723
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3598
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.1
Trust: 2.0
NVD:	CVE-2020-3598
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-181723 // JVNDB: JVNDB-2020-012345 // CNNVD: CNNVD-202010-223 // NVD: CVE-2020-3598 // NVD: CVE-2020-3598

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.1
problemtype:	Lack of authentication for important features (CWE-306) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181723 // JVNDB: JVNDB-2020-012345 // NVD: CVE-2020-3598

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-223

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202010-223

PATCH

title:	cisco-sa-cvdsd-missing-auth-rQO88rnj	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-missing-auth-rQO88rnj	Trust: 0.8
title:	Cisco Vision Dynamic Signage Director Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129852	Trust: 0.6

sources: JVNDB: JVNDB-2020-012345 // CNNVD: CNNVD-202010-223

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3598	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-012345	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.3476	Trust: 0.6
db:	NSFOCUS	id:	50160	Trust: 0.6
db:	CNNVD	id:	CNNVD-202010-223	Trust: 0.6
db:	CNVD	id:	CNVD-2020-58782	Trust: 0.1
db:	VULHUB	id:	VHN-181723	Trust: 0.1

sources: VULHUB: VHN-181723 // JVNDB: JVNDB-2020-012345 // CNNVD: CNNVD-202010-223 // NVD: CVE-2020-3598

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-cvdsd-missing-auth-rqo88rnj	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3598	Trust: 1.4
url:	http://www.nsfocus.net/vulndb/50160	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3476/	Trust: 0.6

sources: VULHUB: VHN-181723 // JVNDB: JVNDB-2020-012345 // CNNVD: CNNVD-202010-223 // NVD: CVE-2020-3598

SOURCES

db:	VULHUB	id:	VHN-181723
db:	JVNDB	id:	JVNDB-2020-012345
db:	CNNVD	id:	CNNVD-202010-223
db:	NVD	id:	CVE-2020-3598

LAST UPDATE DATE

2024-11-23T22:29:27.230000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181723	date:	2020-10-20T00:00:00
db:	JVNDB	id:	JVNDB-2020-012345	date:	2021-04-30T07:30:00
db:	CNNVD	id:	CNNVD-202010-223	date:	2020-11-04T00:00:00
db:	NVD	id:	CVE-2020-3598	date:	2024-11-21T05:31:23.233

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181723	date:	2020-10-08T00:00:00
db:	JVNDB	id:	JVNDB-2020-012345	date:	2021-04-30T00:00:00
db:	CNNVD	id:	CNNVD-202010-223	date:	2020-10-08T00:00:00
db:	NVD	id:	CVE-2020-3598	date:	2020-10-08T05:15:15.757