Details of VAR-201910-0374

ID

VAR-201910-0374

CVE

CVE-2019-12636

TITLE

Cisco Small Business Smart and Managed Switch Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2019-011149

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or cause a denial of service (DoS) condition on an affected device. Cisco 250 Series Smart Switches, etc. are products of the United States Cisco (Cisco). The Cisco 250 Series Smart Switches is a 250 series smart switch. The Cisco 350 Series Managed Switches is a 350 series managed switch. 550X Series Stackable Managed Switches is a 550X Series managed switch. The vulnerability stems from the program's failure to provide adequate cross-site request forgery protection

Trust: 2.16

sources: NVD: CVE-2019-12636 // JVNDB: JVNDB-2019-011149 // CNVD: CNVD-2019-39610

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-39610

AFFECTED PRODUCTS

vendor:	cisco	model:	sf250x-24p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg300-10sfp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf200e-24p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf500-24p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf500-48	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250x-24	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf200-24p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-26hp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg550x-24mp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg350-10mp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg500x-24p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf200-48p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf300-48	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf300-24p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg500-28mpp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg550x-24mpp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg300-28	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg300-52	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg200-26	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg355-10p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg550x-24	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf250-50p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg500x-48p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg200-50	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg300-10	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf200-24fp	scope:	lt	version:	1.4.11	Trust: 1.0
vendor:	cisco	model:	sf250x-48	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf200e-48	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg200-18	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg200-10fp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf302-08pp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg500xg-8f8t	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sx550x-52	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg350-28p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf550x-48p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf350-48p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg300-20	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf550x-48	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf250-50	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf250x-48p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg500-52	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf300-48p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf300-08	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg550x-48mp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf550x-48mp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf500-48p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg350-28	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg200-26p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-48	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg200-50p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg300-10pp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-24p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sx550x-24ft	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf550x-24	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf302-08mp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg550x-48	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf500-24	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg550x-48p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg500x-24	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf300-24pp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg300-10mp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg300-52p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-10p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg500-52p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf300-48pp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-50hp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf250-26	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sx550x-12f	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg300-28pp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-48hp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf300-24	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg500-28	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg500-28p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf550x-24mp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg550x-24p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf200e48p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-08	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf250-24	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf250-26p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf200-48	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg300-52mp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg200-08	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg200-08p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-08hp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg500x-48	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf350-48	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg300-10p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sx550x-24f	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf302-08p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sx550x-24	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf200e-24	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg350-10p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf300-24mp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg200-50fp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg200-26fp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf200-24	scope:	lt	version:	1.4.11	Trust: 1.0
vendor:	cisco	model:	sx550x-16ft	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf302-08	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg300-28mp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg500-52mp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf550x-24p	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg300-10mpp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf350-48mp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sf302-08mpp	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sf250-18	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg350-28mp	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	sg300-28p	scope:	lt	version:	1.4.11.02	Trust: 1.0
vendor:	cisco	model:	sg350-10	scope:	lt	version:	2.5.0.90	Trust: 1.0
vendor:	cisco	model:	250 series smart switch	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	350 series managed switch	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	550x series stackable managed switch	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	series smart switches	scope:	eq	version:	250	Trust: 0.6
vendor:	cisco	model:	series managed switches	scope:	eq	version:	350	Trust: 0.6
vendor:	cisco	model:	series stackable managed switches	scope:	eq	version:	550x	Trust: 0.6

sources: CNVD: CNVD-2019-39610 // JVNDB: JVNDB-2019-011149 // NVD: CVE-2019-12636

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-12636
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-12636
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-12636
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-39610
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-1107
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-12636
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-39610
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-12636
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-12636
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.2
version:	3.0
Trust: 1.0
NVD:	CVE-2019-12636
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-39610 // JVNDB: JVNDB-2019-011149 // CNNVD: CNNVD-201910-1107 // NVD: CVE-2019-12636 // NVD: CVE-2019-12636

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2019-011149 // NVD: CVE-2019-12636

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1107

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201910-1107

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011149

PATCH

title:	cisco-sa-20191016-sbss-csrfCVE-2019-12636	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-sbss-csrf	Trust: 0.8
title:	Patch for Cisco 250 Series Smart Switches, 350 Series Managed Switches, and 550X Series Stackable Managed Switches Cross-Site Request Forgery Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/189157	Trust: 0.6

sources: CNVD: CNVD-2019-39610 // JVNDB: JVNDB-2019-011149

EXTERNAL IDS

db:	NVD	id:	CVE-2019-12636	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-011149	Trust: 0.8
db:	CNVD	id:	CNVD-2019-39610	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.3882	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.3882.2	Trust: 0.6
db:	CNNVD	id:	CNNVD-201910-1107	Trust: 0.6

sources: CNVD: CNVD-2019-39610 // JVNDB: JVNDB-2019-011149 // CNNVD: CNNVD-201910-1107 // NVD: CVE-2019-12636

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191016-sbss-csrf	Trust: 2.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12636	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12636	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191016-sbss-xss	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3882/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3882.2/	Trust: 0.6

sources: CNVD: CNVD-2019-39610 // JVNDB: JVNDB-2019-011149 // CNNVD: CNNVD-201910-1107 // NVD: CVE-2019-12636

CREDITS

Marcin Mol of Securitum, Poland .

Trust: 0.6

sources: CNNVD: CNNVD-201910-1107

SOURCES

db:	CNVD	id:	CNVD-2019-39610
db:	JVNDB	id:	JVNDB-2019-011149
db:	CNNVD	id:	CNNVD-201910-1107
db:	NVD	id:	CVE-2019-12636

LAST UPDATE DATE

2024-11-23T22:29:52.351000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-39610	date:	2019-11-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-011149	date:	2019-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201910-1107	date:	2020-09-02T00:00:00
db:	NVD	id:	CVE-2019-12636	date:	2024-11-21T04:23:14.233

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-39610	date:	2019-11-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-011149	date:	2019-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201910-1107	date:	2019-10-16T00:00:00
db:	NVD	id:	CVE-2019-12636	date:	2019-10-16T19:15:10.987