Details of VAR-201904-0248

ID

VAR-201904-0248

CVE

CVE-2019-1722

TITLE

Cisco Expressway Series and TelePresence Video Communication Server Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2019-003533

DESCRIPTION

A vulnerability in the FindMe feature of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. The arbitrary actions include adding an attacker-controlled device and redirecting calls intended for a specific user. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors. This vulnerability is fixed in software version X12.5.1 and later. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCvn47520

Trust: 1.98

sources: NVD: CVE-2019-1722 // JVNDB: JVNDB-2019-003533 // BID: 108006 // VULHUB: VHN-149444

AFFECTED PRODUCTS

vendor:	cisco	model:	telepresence video communication server	scope:	lt	version:	x12.5.1	Trust: 1.0
vendor:	cisco	model:	expressway series	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	expressway	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	telepresence video communication server software	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	expressway series	scope:	eq	version:	0	Trust: 0.3

sources: BID: 108006 // JVNDB: JVNDB-2019-003533 // NVD: CVE-2019-1722

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1722
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1722
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1722
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201904-830
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-149444
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-1722
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-149444
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1722
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 2.8

sources: VULHUB: VHN-149444 // JVNDB: JVNDB-2019-003533 // CNNVD: CNNVD-201904-830 // NVD: CVE-2019-1722 // NVD: CVE-2019-1722

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-149444 // JVNDB: JVNDB-2019-003533 // NVD: CVE-2019-1722

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-830

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201904-830

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003533

PATCH

title:	cisco-sa-20190417-ex-vcs-xsrf	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-ex-vcs-xsrf	Trust: 0.8
title:	Cisco Expressway Series and Cisco TelePresence Video Communication Server Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91665	Trust: 0.6

sources: JVNDB: JVNDB-2019-003533 // CNNVD: CNNVD-201904-830

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1722	Trust: 2.8
db:	BID	id:	108006	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-003533	Trust: 0.8
db:	AUSCERT	id:	ESB-2019.1330.2	Trust: 0.6
db:	CNNVD	id:	CNNVD-201904-830	Trust: 0.6
db:	VULHUB	id:	VHN-149444	Trust: 0.1

sources: VULHUB: VHN-149444 // BID: 108006 // JVNDB: JVNDB-2019-003533 // CNNVD: CNNVD-201904-830 // NVD: CVE-2019-1722

REFERENCES

url:	http://www.securityfocus.com/bid/108006	Trust: 2.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190417-ex-vcs-xsrf	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1722	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1722	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/79282	Trust: 0.6

sources: VULHUB: VHN-149444 // BID: 108006 // JVNDB: JVNDB-2019-003533 // CNNVD: CNNVD-201904-830 // NVD: CVE-2019-1722

CREDITS

Cisco

Trust: 0.9

sources: BID: 108006 // CNNVD: CNNVD-201904-830

SOURCES

db:	VULHUB	id:	VHN-149444
db:	BID	id:	108006
db:	JVNDB	id:	JVNDB-2019-003533
db:	CNNVD	id:	CNNVD-201904-830
db:	NVD	id:	CVE-2019-1722

LAST UPDATE DATE

2024-11-23T21:52:21.486000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-149444	date:	2019-10-09T00:00:00
db:	BID	id:	108006	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-003533	date:	2019-05-20T00:00:00
db:	CNNVD	id:	CNNVD-201904-830	date:	2019-04-22T00:00:00
db:	NVD	id:	CVE-2019-1722	date:	2024-11-21T04:37:10.750

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-149444	date:	2019-04-18T00:00:00
db:	BID	id:	108006	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-003533	date:	2019-05-20T00:00:00
db:	CNNVD	id:	CNNVD-201904-830	date:	2019-04-17T00:00:00
db:	NVD	id:	CVE-2019-1722	date:	2019-04-18T01:29:02.063