Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco Secure Access Control System Admin/View Page Cross-Site Request Forgery Vulnerability

Cisco-SA-20130715-CVE-2013-3424 · Medium · Published · Updated

A vulnerability in the Cisco Access Control System (ACS) Administration and View pages could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack. The vulnerability is due to insufficient CSRF protections. An attacker could exploit this vulnerability by convincing an authenticated ACS user to access a malicious link. Cisco has confirmed this vulnerability in a security notice and released software updates. To exploit the vulnerability, the attacker may provide a link to a malicious site and may persuade the user to follow the link by using misleading language and instructions. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

For additional information about cross-site request forgery attacks and potential mitigation methods, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Request Forgery Threat Vectors["http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28726"].

Administrators are advised to monitor affected systems.

CVEsCVE-2013-3424
Cisco Bug IDsCSCud75177
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
Product Names From Source
Cisco Secure Access Control System (ACS)

Related Products

Product CVE Evidence
Cisco Secure Access Control System (ACS) CVE-2013-3424 Cisco OpenVuln