Cisco HyperFlex UI Clickjacking Vulnerability

cisco-sa-20181003-hyperflex-clickjacking · Medium · Published 7 years ago · Updated 7 years ago

Data: Cisco advisories 1 day ago · Cisco CSAF 4 hours ago · NVD CVEs 7 hours ago · NVD CPEs 1 day ago · CISA KEV 1 day ago · EPSS 1 day ago

A vulnerability in the web UI of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-hyperflex-clickjacking

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

Protection mechanisms should be used to prevent this type of attack.

CVEs	CVE-2018-15423
Cisco Bug IDs	CSCvj95644
CVSS Score	Base 4.7 Base 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L/E:X/RL:X/RC:X

Products with public affected evidence

Product	CVE	Affected evidence
Cisco HyperFlex HX-Series	CVE-2018-15423	structured affected CSAF product_status