CVE-2019-1904
Summary
| CVE | CVE-2019-1904 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-06-21 03:15:00 UTC |
| Updated | 2021-10-18 12:04:00 UTC |
| Description | A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled. The default state of the HTTP Server feature is version dependent. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Cisco | 4321 Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4321 Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4331 Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4331 Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4351 Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4351 Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4431 Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4431 Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4451-x Integrated Services Router | - | All | All | All |
| Hardware | Cisco | 4451-x Integrated Services Router | - | All | All | All |
| Hardware | Cisco | Asr 1000 Series Route Processor Rp2 | - | All | All | All |
| Hardware | Cisco | Asr 1000 Series Route Processor Rp2 | - | All | All | All |
| Hardware | Cisco | Asr 1000 Series Route Processor Rp2 | - | All | All | All |
| Hardware | Cisco | Asr 1001-x | - | All | All | All |
| Hardware | Cisco | Asr 1001-x Router | - | All | All | All |
| Hardware | Cisco | Asr 1001-x Router | - | All | All | All |
| Hardware | Cisco | Asr 1002-hx | - | All | All | All |
| Hardware | Cisco | Asr 1002-hx Router | - | All | All | All |
| Hardware | Cisco | Asr 1002-hx Router | - | All | All | All |
| Hardware | Cisco | Asr 1002-x | - | All | All | All |
| Hardware | Cisco | Asr 1002-x Router | - | All | All | All |
| Hardware | Cisco | Asr 1002-x Router | - | All | All | All |
| Hardware | Cisco | Cloud Services Router 1000v | - | All | All | All |
| Hardware | Cisco | Cloud Services Router 1000v | - | All | All | All |
| Operating System | Cisco | Ios Xe | 16.1.3 | All | All | All |
| Operating System | Cisco | Ios Xe | 16.2.1 | All | All | All |
| Operating System | Cisco | Ios Xe | 16.3.1 | All | All | All |
| Operating System | Cisco | Ios Xe | 16.1.3 | All | All | All |
| Operating System | Cisco | Ios Xe | 16.2.1 | All | All | All |
| Operating System | Cisco | Ios Xe | 16.3.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability | MISC | tools.cisco.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This vulnerability was originally found during internal security testing. This vulnerability was also independently discovered by Mr. James Chambers (Research Scientist) of Red Balloon Security. Cisco would like to thank Red Balloon Security for reporting this vulnerability to Cisco and working toward a coordinated disclosure.
There are currently no legacy QID mappings associated with this CVE.