Main Vulnerability Database Vulnerabilities #VU26978

#VU26978 Cross-site request forgery in Cisco Mobility Express - CVE-2020-3261

Published: April 16, 2020

Vulnerability identifier: #VU26978

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-3261

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cisco Mobility Express

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the web-based management interface. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco Mobility Express Software:

Aironet 1540 Series Access Points
Aironet 1560 Series Access Points
Aironet 1800 Series Access Points
Aironet 2800 Series Access Points
Aironet 3800 Series Access Points
Aironet 4800 Series Access Points
Catalyst IW6300 Access Points
6300 Embedded Services Access Points

Remediation

Install update from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mob-exp-csrf-b8tFec24

#VU26978 Cross-site request forgery in Cisco Mobility Express - CVE-2020-3261

Description

Remediation

External links

Please verify you're human