CVE-2024-20414
Severity CVSS v4.0:
Pending analysis
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
25/09/2024
Last modified:
02/10/2024
Description
A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system through the web UI.<br />
<br />
This vulnerability is due to incorrectly accepting configuration changes through the HTTP GET method. An attacker could exploit this vulnerability by persuading a currently authenticated administrator to follow a crafted link. A successful exploit could allow the attacker to change the configuration of the affected device.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:cisco:ios_xe:3.2.0se:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.0sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.1se:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.1sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.2se:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.2sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.3se:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.3sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.4sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.5sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.6sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.7sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.8sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.9sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios_xe:3.2.10sg:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page