CVE-2019-1797 : A vulnerability in the web-based management interface of Cisco Wireless LAN Cont

A vulnerability in the web-based management interface of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on the device with the privileges of the user, including modifying the device configuration. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an interface user to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the user. Software versions prior to 8.3.150.0, 8.5.135.0, and 8.8.100.0 are affected.

Published 2019-04-18 01:29:03

Updated 2021-04-21 15:50:22

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2019-1797

Cisco » Wireless Lan Controller Software
Versions before (<) 8.3.150.0
cpe:2.3:o:cisco:wireless_lan_controller_software:*:*:*:*:*:*:*:*
Matching versions
Cisco » Wireless Lan Controller Software
Versions from including (>=) 8.5.131.0 and before (<) 8.5.150.0
cpe:2.3:o:cisco:wireless_lan_controller_software:*:*:*:*:*:*:*:*
Matching versions
Cisco » Wireless Lan Controller Software
Versions from including (>=) 8.7.106.0 and before (<) 8.8.100.0
cpe:2.3:o:cisco:wireless_lan_controller_software:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-1797

EPSS FAQ

0.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 42 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-1797

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H	2.8	5.2	Cisco Systems, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-1797

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Assigned by:
- nvd@nist.gov (Primary)
- ykramarz@cisco.com (Secondary)

References for CVE-2019-1797

http://www.securityfocus.com/bid/107998

Cisco Wireless LAN Controller Software CVE-2019-1797 Cross Site Request Forgery Vulnerability
Third Party Advisory;VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-wlc-csrf

Cisco Wireless LAN Controller Software Cross-Site Request Forgery Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-1797

Products affected by CVE-2019-1797

Exploit prediction scoring system (EPSS) score for CVE-2019-1797

CVSS scores for CVE-2019-1797

CWE ids for CVE-2019-1797

References for CVE-2019-1797