SB2018110809 - Multiple vulnerabilities in Cisco Energy Management Suite
Published: November 8, 2018
Security Bulletin ID
SB2018110809
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2018-15445)
The vulnerability allows a remote authenticated attacker to perform CSRF attack.The weakness exists in the web-based management interface due to insufficient CSRF protections. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
2) XXE attack (CVE-ID: CVE-2018-15444)
The vulnerability allows a remote authenticated attacker to conduct XXE-attack.
The vulnerability exists in the web-based user interface due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input and read and write files within the affected application.
Remediation
Install update from vendor's website.