ID

VAR-202009-0479


CVE

CVE-2019-16009


TITLE

Cisco IOS  and  IOS XE  Cross-site request forgery vulnerability in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-016016

DESCRIPTION

A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. Both Cisco IOS and IOS XE are a set of operating systems developed by Cisco for its network equipment

Trust: 1.8

sources: NVD: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // VULHUB: VHN-148112 // VULMON: CVE-2019-16009

AFFECTED PRODUCTS

vendor:ciscomodel:ios xescope:ltversion:16.1.1

Trust: 1.0

vendor:ciscomodel:iosscope:ltversion:16.1.1

Trust: 1.0

vendor:シスコシステムズmodel:cisco iosscope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco iosscope:eqversion:xe

Trust: 0.8

vendor:シスコシステムズmodel:cisco ios xescope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-016016 // NVD: CVE-2019-16009

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-16009
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-16009
value: HIGH

Trust: 1.0

NVD: CVE-2019-16009
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202001-242
value: HIGH

Trust: 0.6

VULHUB: VHN-148112
value: HIGH

Trust: 0.1

VULMON: CVE-2019-16009
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-16009
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-148112
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-16009
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-16009
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-148112 // VULMON: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // CNNVD: CNNVD-202001-242 // NVD: CVE-2019-16009 // NVD: CVE-2019-16009

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.1

problemtype:Cross-site request forgery (CWE-352) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-148112 // JVNDB: JVNDB-2019-016016 // NVD: CVE-2019-16009

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-242

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202001-242

PATCH

title:cisco-sa-20200108-ios-csrfurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ios-csrf

Trust: 0.8

title:Cisco IOS and Cisco IOS XE Software Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108350

Trust: 0.6

title:Cisco: Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20200108-ios-csrf

Trust: 0.1

title:The Registerurl:https://www.theregister.co.uk/2020/01/10/cisco_january_patches/

Trust: 0.1

sources: VULMON: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // CNNVD: CNNVD-202001-242

EXTERNAL IDS

db:NVDid:CVE-2019-16009

Trust: 2.6

db:JVNDBid:JVNDB-2019-016016

Trust: 0.8

db:CNNVDid:CNNVD-202001-242

Trust: 0.7

db:AUSCERTid:ESB-2020.1534

Trust: 0.6

db:CNVDid:CNVD-2020-03723

Trust: 0.1

db:VULHUBid:VHN-148112

Trust: 0.1

db:VULMONid:CVE-2019-16009

Trust: 0.1

sources: VULHUB: VHN-148112 // VULMON: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // CNNVD: CNNVD-202001-242 // NVD: CVE-2019-16009

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20200108-ios-csrf

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-16009

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.1534/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-ios-ios-xe-cross-site-request-forgery-via-web-ui-31283

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/352.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-148112 // VULMON: CVE-2019-16009 // JVNDB: JVNDB-2019-016016 // CNNVD: CNNVD-202001-242 // NVD: CVE-2019-16009

CREDITS

Mehmet Onder Key.

Trust: 0.6

sources: CNNVD: CNNVD-202001-242

SOURCES

db:VULHUBid:VHN-148112
db:VULMONid:CVE-2019-16009
db:JVNDBid:JVNDB-2019-016016
db:CNNVDid:CNNVD-202001-242
db:NVDid:CVE-2019-16009

LAST UPDATE DATE

2024-11-23T23:01:18.615000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-148112date:2020-09-28T00:00:00
db:VULMONid:CVE-2019-16009date:2020-09-28T00:00:00
db:JVNDBid:JVNDB-2019-016016date:2021-04-05T09:07:00
db:CNNVDid:CNNVD-202001-242date:2020-09-29T00:00:00
db:NVDid:CVE-2019-16009date:2024-11-21T04:29:55.320

SOURCES RELEASE DATE

db:VULHUBid:VHN-148112date:2020-09-23T00:00:00
db:VULMONid:CVE-2019-16009date:2020-09-23T00:00:00
db:JVNDBid:JVNDB-2019-016016date:2021-04-05T00:00:00
db:CNNVDid:CNNVD-202001-242date:2020-01-08T00:00:00
db:NVDid:CVE-2019-16009date:2020-09-23T01:15:13.707