#VU10693 Cross-site request forgery in Cisco UCS Director and Cisco Integrated Management Controller - CVE-2018-0148
Published: February 21, 2018 / Updated: February 22, 2018
Vulnerability identifier: #VU10693
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0148
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco UCS Director
Cisco Integrated Management Controller
Cisco UCS Director
Cisco Integrated Management Controller
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote unauthenticated attacker to perform CSRF attack.
The weakness exists due to insufficient CSRF protection by the web-based management interface. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
The weakness exists due to insufficient CSRF protection by the web-based management interface. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
Remediation
Update to version 6.6(0.0).