Cross-site request forgery in AirWatch Console - CVE-2017-4951
Published: January 26, 2018 / Updated: February 19, 2018
Vulnerability identifier: #VU10305
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-4951
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
AirWatch Console
AirWatch Console
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to perform CSRF attack.
The weakness exists in the web framework of Cisco Prime Service Catalog due to a lack of cross-site request forgery (CSRF) protection. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
The weakness exists in the web framework of Cisco Prime Service Catalog due to a lack of cross-site request forgery (CSRF) protection. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
How to mitigate CVE-2017-4951
The vulnerability is addressed in the following versions: 9.1.5, 9.2.2.