Sign-up

ID

VAR-201502-0133


CVE

CVE-2015-0599


TITLE

C-Series Rack Servers Run on Cisco Unified Computing System Vulnerable to a clickjacking attack

Trust: 0.8

sources: JVNDB: JVNDB-2015-001444

DESCRIPTION

The web interface in Cisco Integrated Management Controller in Cisco Unified Computing System (UCS) on C-Series Rack Servers does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCuf50138. Vendors have confirmed this vulnerability Bug ID CSCuf50138 It is released as. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlSkillfully crafted by a third party Web Through the site, clickjacking attacks can be performed and other unspecified effects can be received. Cisco Unified Computing System C-Series Rack Servers is prone to a cross-frame scripting vulnerability. Successful exploits will allow attackers to bypass the same-origin policy and perform unauthorized actions; other attacks are possible. Cisco Integrated Management Controller (IMC) is a set of management tools used for it, which supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server. The vulnerability is caused by the program not properly restricting the use of IFRAME elements

Trust: 1.98

sources: NVD: CVE-2015-0599 // JVNDB: JVNDB-2015-001444 // BID: 72509 // VULHUB: VHN-78545

AFFECTED PRODUCTS

vendor:ciscomodel:unified computing system 1.4scope: - version: -

Trust: 3.9

vendor:ciscomodel:unified computing systemscope:eqversion: -

Trust: 1.6

vendor:ciscomodel:unified computing system 1.3scope: - version: -

Trust: 1.5

vendor:ciscomodel:unified computing system 1.2scope: - version: -

Trust: 1.5

vendor:ciscomodel:unified computing system 1.4 1scope: - version: -

Trust: 1.5

vendor:ciscomodel:unified computing systemscope: - version: -

Trust: 0.8

vendor:ciscomodel:unified computing system softwarescope:lteversion:1.5(1f)

Trust: 0.8

vendor:ciscomodel:unified computing system 1.5scope: - version: -

Trust: 0.6

vendor:ciscomodel:unified computing system 1.4 2scope: - version: -

Trust: 0.6

vendor:ciscomodel:unified computing systemscope:eqversion:1.3

Trust: 0.3

vendor:ciscomodel:unified computing systemscope:eqversion:1.2

Trust: 0.3

vendor:ciscomodel:unified computing system 1.1scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified computing systemscope:eqversion:1.1

Trust: 0.3

vendor:ciscomodel:unified computing systemscope:eqversion:1.5

Trust: 0.3

vendor:ciscomodel:unified computing system 1.4 5scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified computing systemscope:eqversion:1.4(2)

Trust: 0.3

vendor:ciscomodel:unified computing systemscope:eqversion:1.4

Trust: 0.3

sources: BID: 72509 // JVNDB: JVNDB-2015-001444 // CNNVD: CNNVD-201502-068 // NVD: CVE-2015-0599

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-0599
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-0599
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201502-068
value: MEDIUM

Trust: 0.6

VULHUB: VHN-78545
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-0599
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-78545
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-78545 // JVNDB: JVNDB-2015-001444 // CNNVD: CNNVD-201502-068 // NVD: CVE-2015-0599

PROBLEMTYPE DATA

problemtype:CWE-254

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-78545 // JVNDB: JVNDB-2015-001444 // NVD: CVE-2015-0599

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-068

TYPE

Origin Validation Error

Trust: 0.3

sources: BID: 72509

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001444

PATCH
title:Cisco UCS C-Series Rack Servers Integrated Management Controller Cross-Frame Scripting Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0599
Trust: 0.8
title:37324url:http://tools.cisco.com/security/center/viewAlert.x?alertId=37324
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001444

EXTERNAL IDS
db:NVDid:CVE-2015-0599
Trust: 2.8
db:BIDid:72509
Trust: 1.4
db:SECUNIAid:62762
Trust: 1.1
db:JVNDBid:JVNDB-2015-001444
Trust: 0.8
db:CNNVDid:CNNVD-201502-068
Trust: 0.7
db:VULHUBid:VHN-78545
Trust: 0.1
sources:
            
            
            VULHUB: VHN-78545 // 
            
            
            
            BID: 72509 // 
            
            
            
            JVNDB: JVNDB-2015-001444 // 
            
            
            
            CNNVD: CNNVD-201502-068 // 
            
            
            
            NVD: CVE-2015-0599

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2015-0599
Trust: 2.0
url:http://tools.cisco.com/security/center/viewalert.x?alertid=37324
Trust: 1.4
url:http://www.securityfocus.com/bid/72509
Trust: 1.1
url:http://secunia.com/advisories/62762
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/100614
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0599
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0599
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-78545 // 
            
            
            
            BID: 72509 // 
            
            
            
            JVNDB: JVNDB-2015-001444 // 
            
            
            
            CNNVD: CNNVD-201502-068 // 
            
            
            
            NVD: CVE-2015-0599

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 72509

SOURCES
db:VULHUBid:VHN-78545
db:BIDid:72509
db:JVNDBid:JVNDB-2015-001444
db:CNNVDid:CNNVD-201502-068
db:NVDid:CVE-2015-0599

LAST UPDATE DATE
2024-11-23T22:01:53.152000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-78545date:2017-09-08T00:00:00
db:BIDid:72509date:2015-02-03T00:00:00
db:JVNDBid:JVNDB-2015-001444date:2015-02-13T00:00:00
db:CNNVDid:CNNVD-201502-068date:2015-02-04T00:00:00
db:NVDid:CVE-2015-0599date:2024-11-21T02:23:23.187

SOURCES RELEASE DATE
db:VULHUBid:VHN-78545date:2015-02-03T00:00:00
db:BIDid:72509date:2015-02-03T00:00:00
db:JVNDBid:JVNDB-2015-001444date:2015-02-13T00:00:00
db:CNNVDid:CNNVD-201502-068date:2015-02-04T00:00:00
db:NVDid:CVE-2015-0599date:2015-02-03T22:59:02.317