ID

VAR-201510-0026


CVE

CVE-2015-6349


TITLE

Cisco Secure Access Control Server of Solution Engine of Web Interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-005686

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web interface in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.7(0.15) allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Vendors have confirmed this vulnerability Bug ID CSCuw24705 It is released as.Skillfully crafted by a third party URL Through any Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuw24705. Solution Engine is one of the server engine solutions

Trust: 2.07

sources: NVD: CVE-2015-6349 // JVNDB: JVNDB-2015-005686 // BID: 77309 // VULHUB: VHN-84310 // VULMON: CVE-2015-6349

AFFECTED PRODUCTS

vendor:ciscomodel:secure access control serverscope:eqversion:5.7.0.15

Trust: 1.6

vendor:ciscomodel:secure access control server solution enginescope:eqversion:5.7(0.15)

Trust: 0.8

vendor:ciscomodel:secure access control server solution enginescope:eqversion:5.7.0.15

Trust: 0.3

sources: BID: 77309 // JVNDB: JVNDB-2015-005686 // CNNVD: CNNVD-201510-783 // NVD: CVE-2015-6349

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-6349
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-6349
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201510-783
value: MEDIUM

Trust: 0.6

VULHUB: VHN-84310
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-6349
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-6349
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-84310
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-84310 // VULMON: CVE-2015-6349 // JVNDB: JVNDB-2015-005686 // CNNVD: CNNVD-201510-783 // NVD: CVE-2015-6349

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-84310 // JVNDB: JVNDB-2015-005686 // NVD: CVE-2015-6349

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-783

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201510-783

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-005686

PATCH

title:cisco-sa-20151023-acs_xss1url:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151023-acs_xss1

Trust: 0.8

title:Cisco Secure Access Control Server Solution Engine Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58514

Trust: 0.6

title:Cisco: Cisco Secure Access Control Server Reflective Cross-Site Scripting Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20151023-acs_xss1

Trust: 0.1

sources: VULMON: CVE-2015-6349 // JVNDB: JVNDB-2015-005686 // CNNVD: CNNVD-201510-783

EXTERNAL IDS

db:NVDid:CVE-2015-6349

Trust: 2.9

db:SECTRACKid:1033968

Trust: 1.2

db:JVNDBid:JVNDB-2015-005686

Trust: 0.8

db:CNNVDid:CNNVD-201510-783

Trust: 0.7

db:BIDid:77309

Trust: 0.5

db:VULHUBid:VHN-84310

Trust: 0.1

db:VULMONid:CVE-2015-6349

Trust: 0.1

sources: VULHUB: VHN-84310 // VULMON: CVE-2015-6349 // BID: 77309 // JVNDB: JVNDB-2015-005686 // CNNVD: CNNVD-201510-783 // NVD: CVE-2015-6349

REFERENCES

url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20151023-acs_xss1

Trust: 2.2

url:http://www.securitytracker.com/id/1033968

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6349

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6349

Trust: 0.8

url:http://www.cisco.com/

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.securityfocus.com/bid/77309

Trust: 0.1

sources: VULHUB: VHN-84310 // VULMON: CVE-2015-6349 // BID: 77309 // JVNDB: JVNDB-2015-005686 // CNNVD: CNNVD-201510-783 // NVD: CVE-2015-6349

CREDITS

Cisco

Trust: 0.3

sources: BID: 77309

SOURCES

db:VULHUBid:VHN-84310
db:VULMONid:CVE-2015-6349
db:BIDid:77309
db:JVNDBid:JVNDB-2015-005686
db:CNNVDid:CNNVD-201510-783
db:NVDid:CVE-2015-6349

LAST UPDATE DATE

2024-11-23T22:01:42.216000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-84310date:2016-12-07T00:00:00
db:VULMONid:CVE-2015-6349date:2016-12-07T00:00:00
db:BIDid:77309date:2015-10-26T00:00:00
db:JVNDBid:JVNDB-2015-005686date:2015-11-02T00:00:00
db:CNNVDid:CNNVD-201510-783date:2015-11-02T00:00:00
db:NVDid:CVE-2015-6349date:2024-11-21T02:34:49.940

SOURCES RELEASE DATE

db:VULHUBid:VHN-84310date:2015-10-30T00:00:00
db:VULMONid:CVE-2015-6349date:2015-10-30T00:00:00
db:BIDid:77309date:2015-10-26T00:00:00
db:JVNDBid:JVNDB-2015-005686date:2015-11-02T00:00:00
db:CNNVDid:CNNVD-201510-783date:2015-10-30T00:00:00
db:NVDid:CVE-2015-6349date:2015-10-30T10:59:07.107