Details of VAR-201608-0241

ID

VAR-201608-0241

CVE

CVE-2016-1474

TITLE

Cisco Prime Infrastructure Vulnerable to a clickjacking attack

Trust: 0.8

sources: JVNDB: JVNDB-2016-004343

DESCRIPTION

Cisco Prime Infrastructure 2.2(2) does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCuw65846, a different vulnerability than CVE-2015-6434. Vendors have confirmed this vulnerability Bug ID CSCuw65846 It is released as. This vulnerability CVE-2015-6434 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlSkillfully crafted by a third party Web Clickjacking attacks and other unspecified attacks may be performed through the site. Cisco Prime Infrastructure is prone to a cross-frame scripting vulnerability. Successful exploits will allow attackers to bypass the same-origin policy and perform unauthorized actions; other attacks are possible. A remote attacker could exploit this vulnerability via a specially crafted website to carry out a clickjacking attack

Trust: 1.98

sources: NVD: CVE-2016-1474 // JVNDB: JVNDB-2016-004343 // BID: 92278 // VULHUB: VHN-90293

AFFECTED PRODUCTS

vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.2\(2\)	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.2(2)	Trust: 1.1

sources: BID: 92278 // JVNDB: JVNDB-2016-004343 // CNNVD: CNNVD-201608-179 // NVD: CVE-2016-1474

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1474
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-1474
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201608-179
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-90293
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-1474
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-90293
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1474
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-90293 // JVNDB: JVNDB-2016-004343 // CNNVD: CNNVD-201608-179 // NVD: CVE-2016-1474

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-90293 // JVNDB: JVNDB-2016-004343 // NVD: CVE-2016-1474

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-179

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201608-179

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004343

PATCH

title:	cisco-sa-20160803-cpi	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160803-cpi	Trust: 0.8
title:	Cisco Prime Infrastructure Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63570	Trust: 0.6

sources: JVNDB: JVNDB-2016-004343 // CNNVD: CNNVD-201608-179

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1474	Trust: 2.8
db:	BID	id:	92278	Trust: 1.4
db:	SECTRACK	id:	1036530	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-004343	Trust: 0.8
db:	CNNVD	id:	CNNVD-201608-179	Trust: 0.7
db:	VULHUB	id:	VHN-90293	Trust: 0.1

sources: VULHUB: VHN-90293 // BID: 92278 // JVNDB: JVNDB-2016-004343 // CNNVD: CNNVD-201608-179 // NVD: CVE-2016-1474

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160803-cpi	Trust: 2.0
url:	http://www.securityfocus.com/bid/92278	Trust: 1.1
url:	http://www.securitytracker.com/id/1036530	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1474	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1474	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-90293 // BID: 92278 // JVNDB: JVNDB-2016-004343 // CNNVD: CNNVD-201608-179 // NVD: CVE-2016-1474

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 92278

SOURCES

db:	VULHUB	id:	VHN-90293
db:	BID	id:	92278
db:	JVNDB	id:	JVNDB-2016-004343
db:	CNNVD	id:	CNNVD-201608-179
db:	NVD	id:	CVE-2016-1474

LAST UPDATE DATE

2024-11-23T21:42:52.350000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-90293	date:	2017-08-16T00:00:00
db:	BID	id:	92278	date:	2016-08-03T00:00:00
db:	JVNDB	id:	JVNDB-2016-004343	date:	2016-08-17T00:00:00
db:	CNNVD	id:	CNNVD-201608-179	date:	2016-08-08T00:00:00
db:	NVD	id:	CVE-2016-1474	date:	2024-11-21T02:46:30.667

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-90293	date:	2016-08-08T00:00:00
db:	BID	id:	92278	date:	2016-08-03T00:00:00
db:	JVNDB	id:	JVNDB-2016-004343	date:	2016-08-17T00:00:00
db:	CNNVD	id:	CNNVD-201608-179	date:	2016-08-08T00:00:00
db:	NVD	id:	CVE-2016-1474	date:	2016-08-08T00:59:07.687