Sign-up

ID

VAR-201903-1285


CVE

CVE-2018-19525


TITLE

plural Systrome Cumilon ISG Cross-site request forgery vulnerability in device products

Trust: 0.8

sources: JVNDB: JVNDB-2018-015189

DESCRIPTION

An issue was discovered on Systrome ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. There is CSRF via /ui/?g=obj_keywords_add and /ui/?g=obj_keywords_addsave with resultant XSS because of a lack of csrf token validation. Systrome Cumilon ISG-600C , ISG-600H , ISG-800W The device contains a cross-site request forgery vulnerability.Information may be obtained and information may be altered. SYSTORME ISG-600C is an integrated security gateway device of India SYSTORME company. A remote attacker could exploit this vulnerability to take control of the account

Trust: 1.71

sources: NVD: CVE-2018-19525 // JVNDB: JVNDB-2018-015189 // VULHUB: VHN-130193

AFFECTED PRODUCTS

vendor:systromemodel:cumilon isg-800wscope:eqversion:1.1-r2.1

Trust: 1.0

vendor:systromemodel:cumilon isg-600cscope:eqversion:1.1-r2.1

Trust: 1.0

vendor:systromemodel:cumilon isg-600hscope:eqversion:1.1-r2.1

Trust: 1.0

vendor:systromemodel:isg 600cscope:eqversion:1.1-r2.1_trunk-20180914.bin

Trust: 0.8

vendor:systromemodel:isg 600hscope:eqversion:1.1-r2.1_trunk-20180914.bin

Trust: 0.8

vendor:systromemodel:isg 800wscope:eqversion:1.1-r2.1_trunk-20180914.bin

Trust: 0.8

sources: JVNDB: JVNDB-2018-015189 // NVD: CVE-2018-19525

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-19525
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-19525
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201902-613
value: MEDIUM

Trust: 0.6

VULHUB: VHN-130193
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-19525
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-130193
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-19525
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-130193 // JVNDB: JVNDB-2018-015189 // CNNVD: CNNVD-201902-613 // NVD: CVE-2018-19525

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

problemtype:CWE-79

Trust: 1.1

sources: VULHUB: VHN-130193 // JVNDB: JVNDB-2018-015189 // NVD: CVE-2018-19525

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-613

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201902-613

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015189

PATCH
title:Top Pageurl:http://systrome.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-015189

EXTERNAL IDS
db:NVDid:CVE-2018-19525
Trust: 2.5
db:PACKETSTORMid:151647
Trust: 2.5
db:JVNDBid:JVNDB-2018-015189
Trust: 0.8
db:CNNVDid:CNNVD-201902-613
Trust: 0.7
db:VULHUBid:VHN-130193
Trust: 0.1
sources:
            
            
            VULHUB: VHN-130193 // 
            
            
            
            JVNDB: JVNDB-2018-015189 // 
            
            
            
            CNNVD: CNNVD-201902-613 // 
            
            
            
            NVD: CVE-2018-19525

REFERENCES
url:http://packetstormsecurity.com/files/151647/systorme-isg-cross-site-request-forgery.html
Trust: 3.1
url:http://seclists.org/fulldisclosure/2019/feb/31
Trust: 1.7
url:https://s3curityb3ast.github.io/ksa-dev-002.md
Trust: 1.7
url:https://www.breakthesec.com/2019/02/cve-2018-19525-account-takeover-via.html
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-19525
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19525
Trust: 0.8
url:http://breakthesec.com
Trust: 0.6
sources:
            
            
            VULHUB: VHN-130193 // 
            
            
            
            JVNDB: JVNDB-2018-015189 // 
            
            
            
            CNNVD: CNNVD-201902-613 // 
            
            
            
            NVD: CVE-2018-19525

CREDITS
Kaustubh G. Padwad
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-613

SOURCES
db:VULHUBid:VHN-130193
db:JVNDBid:JVNDB-2018-015189
db:CNNVDid:CNNVD-201902-613
db:NVDid:CVE-2018-19525

LAST UPDATE DATE
2024-11-23T22:12:08.293000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-130193date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2018-015189date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201902-613date:2019-05-09T00:00:00
db:NVDid:CVE-2018-19525date:2024-11-21T03:58:06.017

SOURCES RELEASE DATE
db:VULHUBid:VHN-130193date:2019-03-21T00:00:00
db:JVNDBid:JVNDB-2018-015189date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201902-613date:2019-02-13T00:00:00
db:NVDid:CVE-2018-19525date:2019-03-21T16:00:31.827