Sign-up

ID

VAR-201905-0594


CVE

CVE-2019-1856


TITLE

Cisco Prime Collaboration Assurance Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-003900

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance (PCA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to the insufficient validation of data supplied by external devices to the web-based management interface of an affected PCA device. An attacker in control of devices integrated with an affected PCA device could exploit this vulnerability by using crafted data in certain fields of the controlled devices. A successful exploit could allow the attacker to execute arbitrary script code in the context of the PCA web-based management interface or allow the attacker to access sensitive browser-based information. Cisco Prime Collaboration Assurance (PCA) Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvk13522. The product supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites, among others. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.98

sources: NVD: CVE-2019-1856 // JVNDB: JVNDB-2019-003900 // BID: 108148 // VULHUB: VHN-150918

AFFECTED PRODUCTS

vendor:ciscomodel:prime collaboration assurancescope:eqversion:12.1

Trust: 1.0

vendor:ciscomodel:prime collaboration assurancescope: - version: -

Trust: 0.8

vendor:ciscomodel:prime collaboration assurancescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:prime collaborationscope:eqversion:12.1

Trust: 0.3

vendor:ciscomodel:prime collaboration assurance sp3scope:neversion:12.1

Trust: 0.3

sources: BID: 108148 // JVNDB: JVNDB-2019-003900 // NVD: CVE-2019-1856

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1856
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1856
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1856
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201905-050
value: MEDIUM

Trust: 0.6

VULHUB: VHN-150918
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1856
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-150918
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1856
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-150918 // JVNDB: JVNDB-2019-003900 // CNNVD: CNNVD-201905-050 // NVD: CVE-2019-1856 // NVD: CVE-2019-1856

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-150918 // JVNDB: JVNDB-2019-003900 // NVD: CVE-2019-1856

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-050

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201905-050

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003900

PATCH
title:cisco-sa-20190501-pca-xssurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-pca-xss
Trust: 0.8
title:Cisco Prime Collaboration Assurance Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92193
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-003900 // 
            
            
            
            CNNVD: CNNVD-201905-050

EXTERNAL IDS
db:NVDid:CVE-2019-1856
Trust: 2.8
db:BIDid:108148
Trust: 2.0
db:JVNDBid:JVNDB-2019-003900
Trust: 0.8
db:CNNVDid:CNNVD-201905-050
Trust: 0.7
db:AUSCERTid:ESB-2019.1534
Trust: 0.6
db:VULHUBid:VHN-150918
Trust: 0.1
sources:
            
            
            VULHUB: VHN-150918 // 
            
            
            
            BID: 108148 // 
            
            
            
            JVNDB: JVNDB-2019-003900 // 
            
            
            
            CNNVD: CNNVD-201905-050 // 
            
            
            
            NVD: CVE-2019-1856

REFERENCES
url:http://www.securityfocus.com/bid/108148
Trust: 2.3
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-pca-xss
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1856
Trust: 1.4
url:http://www.cisco.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1856
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-pnr-xss
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-prime-collaboration-assurance-cross-site-scripting-29186
Trust: 0.6
url:https://www.auscert.org.au/bulletins/80174
Trust: 0.6
sources:
            
            
            VULHUB: VHN-150918 // 
            
            
            
            BID: 108148 // 
            
            
            
            JVNDB: JVNDB-2019-003900 // 
            
            
            
            CNNVD: CNNVD-201905-050 // 
            
            
            
            NVD: CVE-2019-1856

CREDITS
Cisco
Trust: 0.9
sources:
            
            
            BID: 108148 // 
            
            
            
            CNNVD: CNNVD-201905-050

SOURCES
db:VULHUBid:VHN-150918
db:BIDid:108148
db:JVNDBid:JVNDB-2019-003900
db:CNNVDid:CNNVD-201905-050
db:NVDid:CVE-2019-1856

LAST UPDATE DATE
2024-11-23T21:52:17.207000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-150918date:2019-05-06T00:00:00
db:BIDid:108148date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003900date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-050date:2019-05-08T00:00:00
db:NVDid:CVE-2019-1856date:2024-11-21T04:37:32.457

SOURCES RELEASE DATE
db:VULHUBid:VHN-150918date:2019-05-03T00:00:00
db:BIDid:108148date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003900date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-050date:2019-05-01T00:00:00
db:NVDid:CVE-2019-1856date:2019-05-03T17:29:01.360