CVE-2019-12624
Cisco IOS XE NGWC Legacy Wireless Device Manager GUI Cross-Site Request Forgery Vulnerability
In short
A security flaw in Cisco IOS XE wireless controller's web interface allows an attacker to trick a logged-in user into performing unwanted actions on the device, such as changing settings or creating accounts, without the user's knowledge.
Technical detail
This CSRF vulnerability in the Cisco IOS XE NGWC web management interface lacks sufficient token validation and same-origin checks. An unauthenticated attacker can craft a malicious link that, when clicked by an authenticated administrator, executes arbitrary administrative actions with the victim's privileges and session context.
Summary generated and translated by AI from the official description.
A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user.
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Cisco · Cisco IOS XE Softwarepublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/47153unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →