Details of VAR-201906-0290

ID

VAR-201906-0290

CVE

CVE-2019-1881

TITLE

Cisco Industrial Network Director Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2019-005282

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors. Cisco Industrial Network Director is prone to a cross-site request-forgery vulnerability. This issue is being tracked by Cisco bug ID CSCvm30050. The system realizes automatic management through visual operation of industrial Ethernet infrastructure. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user

Trust: 2.07

sources: NVD: CVE-2019-1881 // JVNDB: JVNDB-2019-005282 // BID: 108678 // VULHUB: VHN-151193 // VULMON: CVE-2019-1881

AFFECTED PRODUCTS

vendor:	cisco	model:	industrial network director	scope:	eq	version:	1.5\(0.250\)	Trust: 1.0
vendor:	cisco	model:	industrial network director	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	network level service	scope:	eq	version:	1.5(0.250)	Trust: 0.3
vendor:	cisco	model:	industrial network director	scope:	eq	version:	0	Trust: 0.3

sources: BID: 108678 // JVNDB: JVNDB-2019-005282 // NVD: CVE-2019-1881

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1881
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1881
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1881
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201906-156
value:	HIGH
Trust: 0.6
VULHUB:	VHN-151193
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-1881
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-1881
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-151193
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1881
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
ykramarz@cisco.com:	CVE-2019-1881
baseSeverity:	MEDIUM
baseScore:	4.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-151193 // VULMON: CVE-2019-1881 // JVNDB: JVNDB-2019-005282 // CNNVD: CNNVD-201906-156 // NVD: CVE-2019-1881 // NVD: CVE-2019-1881

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-151193 // JVNDB: JVNDB-2019-005282 // NVD: CVE-2019-1881

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-156

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201906-156

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005282

PATCH

title:	cisco-sa-20190605-ind-csrf	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-csrf	Trust: 0.8
title:	Cisco Industrial Network Director Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93248	Trust: 0.6
title:	Cisco: Cisco Industrial Network Director Cross-Site Request Forgery Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190605-ind-csrf	Trust: 0.1
title:	PoC	url:	https://github.com/Jonathan-Elias/PoC	Trust: 0.1
title:	-	url:	https://github.com/khulnasoft-lab/awesome-security	Trust: 0.1

sources: VULMON: CVE-2019-1881 // JVNDB: JVNDB-2019-005282 // CNNVD: CNNVD-201906-156

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1881	Trust: 2.9
db:	BID	id:	108678	Trust: 2.1
db:	JVNDB	id:	JVNDB-2019-005282	Trust: 0.8
db:	CNNVD	id:	CNNVD-201906-156	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2025.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2025	Trust: 0.6
db:	VULHUB	id:	VHN-151193	Trust: 0.1
db:	VULMON	id:	CVE-2019-1881	Trust: 0.1

sources: VULHUB: VHN-151193 // VULMON: CVE-2019-1881 // BID: 108678 // JVNDB: JVNDB-2019-005282 // CNNVD: CNNVD-201906-156 // NVD: CVE-2019-1881

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190605-ind-csrf	Trust: 2.8
url:	http://www.securityfocus.com/bid/108678	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1881	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1881	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190605-ind-xss	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190605-ind-rce	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2025.2/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2025/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-151193 // VULMON: CVE-2019-1881 // BID: 108678 // JVNDB: JVNDB-2019-005282 // CNNVD: CNNVD-201906-156 // NVD: CVE-2019-1881

CREDITS

Cisco

Trust: 0.9

sources: BID: 108678 // CNNVD: CNNVD-201906-156

SOURCES

db:	VULHUB	id:	VHN-151193
db:	VULMON	id:	CVE-2019-1881
db:	BID	id:	108678
db:	JVNDB	id:	JVNDB-2019-005282
db:	CNNVD	id:	CNNVD-201906-156
db:	NVD	id:	CVE-2019-1881

LAST UPDATE DATE

2024-11-23T22:11:59.938000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-151193	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2019-1881	date:	2019-10-09T00:00:00
db:	BID	id:	108678	date:	2019-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-005282	date:	2019-06-18T00:00:00
db:	CNNVD	id:	CNNVD-201906-156	date:	2019-06-13T00:00:00
db:	NVD	id:	CVE-2019-1881	date:	2024-11-21T04:37:36.277

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-151193	date:	2019-06-05T00:00:00
db:	VULMON	id:	CVE-2019-1881	date:	2019-06-05T00:00:00
db:	BID	id:	108678	date:	2019-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-005282	date:	2019-06-18T00:00:00
db:	CNNVD	id:	CNNVD-201906-156	date:	2019-06-05T00:00:00
db:	NVD	id:	CVE-2019-1881	date:	2019-06-05T17:29:00.680