Improper Authentication in Cisco Vision Dynamic Signage Director
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-1917 |
| CWE-ID | CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Cisco Vision Dynamic Signage Director Other software / Other software solutions |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper Authentication
EUVDB-ID: #VU19248
Risk: High
CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-1917
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to insufficient validation of HTTP requests in the REST API interface. A remote attacker can send a crafted HTTP request to an affected system, bypass authentication process, gain unauthorized access to the application and execute arbitrary actions through the REST API with administrative privileges on the affected system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Vision Dynamic Signage Director: 2.0 - 6.1
CPE2.3- cpe:2.3:a:cisco_systems:cisco_vision_dynamic_signage_director:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_vision_dynamic_signage_director:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_vision_dynamic_signage_director:3.0:*:*:*:*:*:*:*
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-cvdsd-wmauth
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
