Sign-up

ID

VAR-201311-0233


CVE

CVE-2013-6698


TITLE

Cisco Wireless LAN Controller Device Web Vulnerabilities that could cause clickjacking attacks in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2013-005240

DESCRIPTION

The web interface on Cisco Wireless LAN Controller (WLC) devices does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCuf77821. This case " Cross frame scripting (XFS)" Vulnerability related to the problem. The Cisco Wireless LAN Controller is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. The vulnerability is due to insufficient protection of HTML sub-frames, allowing attackers to build malicious HTML sub-frames, enticing user parsing, and performing clickjacking or other client browser attacks. Successful exploits will allow attackers to bypass the same-origin policy and perform unauthorized actions; other attacks are possible. This issue is being tracked by Cisco Bug ID CSCuf77821

Trust: 2.52

sources: NVD: CVE-2013-6698 // JVNDB: JVNDB-2013-005240 // CNVD: CNVD-2013-14708 // BID: 63866 // VULHUB: VHN-66700

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2013-14708

AFFECTED PRODUCTS

vendor:ciscomodel:wireless lan controllerscope: - version: -

Trust: 1.4

vendor:ciscomodel:wireless lan controllerscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:wireless lan controller softwarescope:lteversion:7.4(.110)

Trust: 0.8

vendor:ciscomodel:wireless lan controllerscope:eqversion:7.x

Trust: 0.6

sources: CNVD: CNVD-2013-14708 // JVNDB: JVNDB-2013-005240 // CNNVD: CNNVD-201311-366 // NVD: CVE-2013-6698

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6698
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-6698
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2013-14708
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201311-366
value: MEDIUM

Trust: 0.6

VULHUB: VHN-66700
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-6698
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-14708
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-66700
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2013-14708 // VULHUB: VHN-66700 // JVNDB: JVNDB-2013-005240 // CNNVD: CNNVD-201311-366 // NVD: CVE-2013-6698

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-66700 // JVNDB: JVNDB-2013-005240 // NVD: CVE-2013-6698

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201311-366

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201311-366

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005240

PATCH
title:Cisco Wireless LAN Controller Cross-Frame Scripting Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6698
Trust: 0.8
title:31864url:http://tools.cisco.com/security/center/viewAlert.x?alertId=31864
Trust: 0.8
title:Cisco Wireless LAN Controller (WLC) Click Patch for Hijacking Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/41315
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-14708 // 
            
            
            
            JVNDB: JVNDB-2013-005240

EXTERNAL IDS
db:NVDid:CVE-2013-6698
Trust: 3.4
db:BIDid:63866
Trust: 1.0
db:JVNDBid:JVNDB-2013-005240
Trust: 0.8
db:CNNVDid:CNNVD-201311-366
Trust: 0.7
db:CNVDid:CNVD-2013-14708
Trust: 0.6
db:CISCOid:20131121 CISCO WIRELESS LAN CONTROLLER CROSS-FRAME SCRIPTING VULNERABILITY
Trust: 0.6
db:VULHUBid:VHN-66700
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2013-14708 // 
            
            
            
            VULHUB: VHN-66700 // 
            
            
            
            BID: 63866 // 
            
            
            
            JVNDB: JVNDB-2013-005240 // 
            
            
            
            CNNVD: CNNVD-201311-366 // 
            
            
            
            NVD: CVE-2013-6698

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-6698
Trust: 2.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6698
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6698
Trust: 0.8
url:http://tools.cisco.com/support/bugtoolkit/search/getbugdetails.do?method=fetchbugdetails&bugid=cscuf77821
Trust: 0.6
url:http://www.cisco.com
Trust: 0.3
url:http://www.cisco.com/en/us/products/ps6307/index.html
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-14708 // 
            
            
            
            VULHUB: VHN-66700 // 
            
            
            
            BID: 63866 // 
            
            
            
            JVNDB: JVNDB-2013-005240 // 
            
            
            
            CNNVD: CNNVD-201311-366 // 
            
            
            
            NVD: CVE-2013-6698

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 63866

SOURCES
db:CNVDid:CNVD-2013-14708
db:VULHUBid:VHN-66700
db:BIDid:63866
db:JVNDBid:JVNDB-2013-005240
db:CNNVDid:CNNVD-201311-366
db:NVDid:CVE-2013-6698

LAST UPDATE DATE
2024-11-23T22:42:39.319000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-14708date:2014-03-07T00:00:00
db:VULHUBid:VHN-66700date:2013-11-25T00:00:00
db:BIDid:63866date:2013-11-25T00:34:00
db:JVNDBid:JVNDB-2013-005240date:2013-11-27T00:00:00
db:CNNVDid:CNNVD-201311-366date:2013-12-13T00:00:00
db:NVDid:CVE-2013-6698date:2024-11-21T01:59:34.443

SOURCES RELEASE DATE
db:CNVDid:CNVD-2013-14708date:2013-11-26T00:00:00
db:VULHUBid:VHN-66700date:2013-11-22T00:00:00
db:BIDid:63866date:2013-11-21T00:00:00
db:JVNDBid:JVNDB-2013-005240date:2013-11-27T00:00:00
db:CNNVDid:CNNVD-201311-366date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6698date:2013-11-22T19:55:09.907