Vulnerability Details : CVE-2019-1753
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to a failure to validate and sanitize input in Web Services Management Agent (WSMA) functions. An attacker could exploit this vulnerability by submitting a malicious payload to the affected device's web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device.
Vulnerability category: Input validation
Products affected by CVE-2019-1753
- cpe:2.3:o:cisco:ios_xe:3.2.0ja:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.6.1:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.8.1:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.6.2:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.7.1:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.8.1s:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.8.1b:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.8.1a:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.8.1e:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:3.6.10e:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.8.1d:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.7.1b:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.8.1c:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.7.1a:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:16.6.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-1753
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-1753
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Cisco Systems, Inc. |
CWE ids for CVE-2019-1753
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)
References for CVE-2019-1753
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-pe
Cisco IOS XE Software Privilege Escalation VulnerabilityPatch;Vendor Advisory
-
http://www.securityfocus.com/bid/107602
Cisco IOS XE Software CVE-2019-1753 Remote Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
Jump to