Sign-up

ID

VAR-201401-0167


CVE

CVE-2013-6974


TITLE

Cisco Secure Access Control System of Web Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001025

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web interface in Cisco Secure Access Control System (ACS) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud89431. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization. An attacker can exploit this vulnerability by enticing a user to access a malicious link due to insufficient parameter input validation. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCud89431. The system can respectively control network access and network device access through RADIUS and TACACS protocols

Trust: 2.52

sources: NVD: CVE-2013-6974 // JVNDB: JVNDB-2014-001025 // CNVD: CNVD-2014-00213 // BID: 64752 // VULHUB: VHN-66976

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-00213

AFFECTED PRODUCTS

vendor:ciscomodel:secure access control systemscope:eqversion: -

Trust: 1.6

vendor:ciscomodel:secure access control system softwarescope:lteversion:5.3(0.40.7)

Trust: 0.8

vendor:ciscomodel:secure access control systemscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2014-00213 // JVNDB: JVNDB-2014-001025 // CNNVD: CNNVD-201401-139 // NVD: CVE-2013-6974

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6974
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-6974
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-00213
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201401-139
value: MEDIUM

Trust: 0.6

VULHUB: VHN-66976
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-6974
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-00213
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-66976
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-00213 // VULHUB: VHN-66976 // JVNDB: JVNDB-2014-001025 // CNNVD: CNNVD-201401-139 // NVD: CVE-2013-6974

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-66976 // JVNDB: JVNDB-2014-001025 // NVD: CVE-2013-6974

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-139

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201401-139

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001025

PATCH
title:Cisco Secure Access Control System Cross-Site Scripting Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6974
Trust: 0.8
title:32396url:http://tools.cisco.com/security/center/viewAlert.x?alertId=32396
Trust: 0.8
title:Patch for Unknown Reflective Cross-Site Scripting Vulnerability in Cisco Secure Access Control System (ACS)url:https://www.cnvd.org.cn/patchInfo/show/42280
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-00213 // 
            
            
            
            JVNDB: JVNDB-2014-001025

EXTERNAL IDS
db:NVDid:CVE-2013-6974
Trust: 3.4
db:BIDid:64752
Trust: 2.0
db:OSVDBid:101894
Trust: 1.7
db:SECTRACKid:1029594
Trust: 1.1
db:SECUNIAid:56353
Trust: 1.1
db:JVNDBid:JVNDB-2014-001025
Trust: 0.8
db:CNNVDid:CNNVD-201401-139
Trust: 0.7
db:CNVDid:CNVD-2014-00213
Trust: 0.6
db:CISCOid:20140109 CISCO SECURE ACCESS CONTROL SYSTEM CROSS-SITE SCRIPTING VULNERABILITY
Trust: 0.6
db:VULHUBid:VHN-66976
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-00213 // 
            
            
            
            VULHUB: VHN-66976 // 
            
            
            
            BID: 64752 // 
            
            
            
            JVNDB: JVNDB-2014-001025 // 
            
            
            
            CNNVD: CNNVD-201401-139 // 
            
            
            
            NVD: CVE-2013-6974

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-6974
Trust: 2.3
url:http://www.securityfocus.com/bid/64752
Trust: 1.1
url:http://osvdb.org/101894
Trust: 1.1
url:http://www.securitytracker.com/id/1029594
Trust: 1.1
url:http://secunia.com/advisories/56353
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6974
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6974
Trust: 0.8
url:http://osvdb.com/show/osvdb/101894
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-00213 // 
            
            
            
            VULHUB: VHN-66976 // 
            
            
            
            JVNDB: JVNDB-2014-001025 // 
            
            
            
            CNNVD: CNNVD-201401-139 // 
            
            
            
            NVD: CVE-2013-6974

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 64752

SOURCES
db:CNVDid:CNVD-2014-00213
db:VULHUBid:VHN-66976
db:BIDid:64752
db:JVNDBid:JVNDB-2014-001025
db:CNNVDid:CNNVD-201401-139
db:NVDid:CVE-2013-6974

LAST UPDATE DATE
2024-11-23T22:23:12.120000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-00213date:2014-01-13T00:00:00
db:VULHUBid:VHN-66976date:2016-09-09T00:00:00
db:BIDid:64752date:2014-01-14T03:02:00
db:JVNDBid:JVNDB-2014-001025date:2014-01-14T00:00:00
db:CNNVDid:CNNVD-201401-139date:2014-01-13T00:00:00
db:NVDid:CVE-2013-6974date:2024-11-21T02:00:05.430

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-00213date:2014-01-13T00:00:00
db:VULHUBid:VHN-66976date:2014-01-10T00:00:00
db:BIDid:64752date:2014-01-09T00:00:00
db:JVNDBid:JVNDB-2014-001025date:2014-01-14T00:00:00
db:CNNVDid:CNNVD-201401-139date:2014-01-13T00:00:00
db:NVDid:CVE-2013-6974date:2014-01-10T12:02:51.670