Vulnerability Details : CVE-2019-1875
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by adding specific strings to multiple configuration fields. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
Vulnerability category: Cross site scripting (XSS)Input validation
Exploit prediction scoring system (EPSS) score for CVE-2019-1875
Probability of exploitation activity in the next 30 days: 0.07%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 27 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-1875
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST |
4.8
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
1.7
|
2.7
|
NIST |
4.8
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
1.7
|
2.7
|
Cisco Systems, Inc. |
CWE ids for CVE-2019-1875
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: ykramarz@cisco.com (Secondary)
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-1875
-
http://www.securityfocus.com/bid/108836
Cisco Prime Service Catalog CVE-2019-1875 Cross Site Scripting VulnerabilityThird Party Advisory;VDB Entry
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-psc-xss
Cisco Prime Service Catalog Cross-Site Scripting VulnerabilityPatch;Vendor Advisory
Products affected by CVE-2019-1875
- cpe:2.3:a:cisco:prime_service_catalog:12.1:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_service_catalog:11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_service_catalog:12.0:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_service_catalog:11.1:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:prime_service_catalog:11.0:*:*:*:*:*:*:*