CVE-2019-1904: Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability
First published: Fri Jun 21 2019(Updated: )
A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled. The default state of the HTTP Server feature is version dependent.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco IOS XE | =16.1.3 | |
| Cisco IOS XE | =16.2.1 | |
| Cisco IOS XE | =16.3.1 | |
| Cisco 4321 Integrated Services Router | ||
| Cisco 4331 Integrated Services Router | ||
| Cisco Asr 1002-x | ||
| Cisco 4431 Integrated Services Router | ||
| Cisco Cloud Services Router 1000v | ||
| Cisco Asr 1000 Series Route Processor \(rp2\) | ||
| Cisco 4351 Integrated Services Router | ||
| Cisco 4451-x Integrated Services Router | ||
| Cisco Asr 1002-hx | ||
| Cisco Asr 1001-x |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-1904?
CVE-2019-1904 is a vulnerability in the web-based UI (web UI) of Cisco IOS XE Software that could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.
How severe is CVE-2019-1904?
CVE-2019-1904 has a severity rating of 8.8 (high).
Which versions of Cisco IOS XE Software are affected by CVE-2019-1904?
Versions 16.1.3, 16.2.1, and 16.3.1 of Cisco IOS XE Software are affected by CVE-2019-1904.
Is Cisco 4321 Integrated Services Router affected by CVE-2019-1904?
No, Cisco 4321 Integrated Services Router is not vulnerable to CVE-2019-1904.
Where can I find more information about CVE-2019-1904?
You can find more information about CVE-2019-1904 on the Cisco Security Advisory page: [link to Cisco Security Advisory for CVE-2019-1904](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190612-iosxe-csrf).
- collector/nvd-index
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/title
- agent/references
- agent/author
- agent/last-modified-date
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- vendor/cisco
- canonical/cisco ios xe
- version/cisco ios xe/16.1.3
- version/cisco ios xe/16.2.1
- version/cisco ios xe/16.3.1
- canonical/cisco 4321 integrated services router
- canonical/cisco 4331 integrated services router
- canonical/cisco asr 1002-x
- canonical/cisco 4431 integrated services router
- canonical/cisco cloud services router 1000v
- canonical/cisco asr 1000 series route processor \(rp2\)
- canonical/cisco 4351 integrated services router
- canonical/cisco 4451-x integrated services router
- canonical/cisco asr 1002-hx
- canonical/cisco asr 1001-x