#VU19248 Improper Authentication in Cisco Vision Dynamic Signage Director
Vulnerability identifier: #VU19248
Vulnerability risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco Vision Dynamic Signage Director
Other software /
Other software solutions
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to insufficient validation of HTTP requests in the REST API interface. A remote attacker can send a crafted HTTP request to an affected system, bypass authentication process, gain unauthorized access to the application and execute arbitrary actions through the REST API with administrative privileges on the affected system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Cisco Vision Dynamic Signage Director: 2.0 - 6.1
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-cvdsd-wmauth
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
