Vulnerability Details : CVE-2018-0326
A vulnerability in the web UI of Cisco TelePresence Server Software could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against a user of the web UI of the affected software. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCun79565.
Products affected by CVE-2018-0326
- cpe:2.3:o:cisco:telepresence_tx9000_firmware:10.0\(2.98000.99\):*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-0326
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-0326
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2018-0326
-
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2018-0326
-
http://www.securitytracker.com/id/1040930
Cisco TelePresence Input Validation Flaw Lets Remote Users Conduct Cross-Frame Scripting Attacks - SecurityTrackerVDB Entry;Third Party Advisory
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-telepres-xfs
Cisco TelePresence IX5000 Series and TelePresence TX9000 Series Cross-Frame Scripting VulnerabilityVendor Advisory
-
http://www.securityfocus.com/bid/104204
Cisco TelePresence Server CVE-2018-0326 Cross Frame Scripting VulnerabilityThird Party Advisory;VDB Entry
Jump to