CVE-2020-3261

A vulnerability in the web-based management interface of Cisco Mobility Express Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user with an active session on an affected device to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions, including modifying the configuration, with the privilege level of the user.

CVSS v3.0 6.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mob-exp-csrf-b8tFec24	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1542i_firmware::::::::
	cpe:2.3:o:cisco:aironet_1542i_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1542i:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1542d_firmware::::::::
	cpe:2.3:o:cisco:aironet_1542d_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1542d:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1562i_firmware::::::::
	cpe:2.3:o:cisco:aironet_1562i_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1562i:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1562e_firmware::::::::
	cpe:2.3:o:cisco:aironet_1562e_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1562e:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1562d_firmware::::::::
	cpe:2.3:o:cisco:aironet_1562d_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1562d:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1815_firmware::::::::
	cpe:2.3:o:cisco:aironet_1815_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1815:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1830_firmware::::::::
	cpe:2.3:o:cisco:aironet_1830_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1830:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1840_firmware::::::::
	cpe:2.3:o:cisco:aironet_1840_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1840:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_1850_firmware::::::::
	cpe:2.3:o:cisco:aironet_1850_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_1850:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_2800i_firmware::::::::
	cpe:2.3:o:cisco:aironet_2800i_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_2800i:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_2800e_firmware::::::::
	cpe:2.3:o:cisco:aironet_2800e_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_2800e:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_3800i_firmware::::::::
	cpe:2.3:o:cisco:aironet_3800i_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_3800i:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_3800e_firmware::::::::
	cpe:2.3:o:cisco:aironet_3800e_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_3800e:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_3800p_firmware::::::::
	cpe:2.3:o:cisco:aironet_3800p_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_3800p:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

OR	cpe:2.3:o:cisco:aironet_4800_firmware::::::::
	cpe:2.3:o:cisco:aironet_4800_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:aironet_4800:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

OR	cpe:2.3:o:cisco:catalyst_iw6300_firmware::::::::
	cpe:2.3:o:cisco:catalyst_iw6300_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:catalyst_iw6300:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

OR	cpe:2.3:o:cisco:6300_series_access_points_firmware::::::::
	cpe:2.3:o:cisco:6300_series_access_points_firmware:8.10\(1.255\):::::::*

cpe:2.3:h:cisco:6300_series_access_points:-:*:*:*:*:*:*:*

Information

Published : 2020-04-15 14:15

Updated : 2020-04-29 11:38

NVD link : CVE-2020-3261

Mitre link : CVE-2020-3261

JSON object : View

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

Products Affected

cisco

aironet_1830_firmware
aironet_3800e
aironet_1840_firmware
aironet_1830
catalyst_iw6300
aironet_3800p
aironet_2800i
aironet_2800e
6300_series_access_points_firmware
aironet_1562e_firmware
aironet_2800i_firmware
aironet_1562i
aironet_1850_firmware
aironet_1542i_firmware
aironet_1542d
aironet_1562d
catalyst_iw6300_firmware
aironet_1562i_firmware
aironet_1815_firmware
aironet_1850
aironet_2800e_firmware
aironet_4800_firmware
aironet_1542d_firmware
aironet_1562e
aironet_1542i
aironet_1815
aironet_1840
aironet_3800i
aironet_3800i_firmware
aironet_4800
6300_series_access_points
aironet_1562d_firmware
aironet_3800e_firmware
aironet_3800p_firmware

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-3261

6.5^/10

4.3^/10

Attach tags to `CVE-2020-3261`