====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN186

_____________________________________________________________________

DATE                : 12/06/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Cisco IOS XE Software with HTTP Server feature
                                         enabled.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190612-iosxe-csrf
_____________________________________________________________________

Cisco Security Advisory: Cisco IOS XE Software Web UI Cross-Site Request
Forgery Vulnerability

Advisory ID: cisco-sa-20190612-iosxe-csrf

Revision: 1.0

For Public Release: 2019 June 12 16:00 GMT

Last Updated: 2019 June 12 16:00 GMT

CVE ID(s): CVE-2019-1904

CVSS Score v(3): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

+---------------------------------------------------------------------

Summary

=======

A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software
could allow an unauthenticated, remote attacker to conduct a cross-site
request forgery (CSRF) attack on an affected system.

The vulnerability is due to insufficient CSRF protections for the web UI
on an affected device. An attacker could exploit this vulnerability by
persuading a user of the interface to follow a malicious link. A
successful exploit could allow the attacker to perform arbitrary actions
with the privilege level of the affected user. If the user has
administrative privileges, the attacker could alter the configuration,
execute commands, or reload an affected device.

Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190612-iosxe-csrf
["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190612-iosxe-csrf"]

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================