#VU12071 Cross-site request forgery in Cisco IOS - CVE-2018-0255
Published: April 20, 2018
Vulnerability identifier: #VU12071
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0255
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS
Cisco IOS
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote unauthenticated attacker to conduct CSRF attack and gain elevated privileges on the target system.
The weakness exists in the device manager web interface due to insufficient CSRF protectione. A remote attacker can trick the victim into following a malicious link or visiting an attacker-controlled website, submit arbitrary requests via the device manager web interface with root privileges.
The weakness exists in the device manager web interface due to insufficient CSRF protectione. A remote attacker can trick the victim into following a malicious link or visiting an attacker-controlled website, submit arbitrary requests via the device manager web interface with root privileges.
Remediation
Install update from vendor's website.