CVE-2019-1838

Current Description

A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. This vulnerability has been fixed in software version 14.1(1i).

Basic Data

Published	May 03, 2019
Last Modified	May 07, 2019
Assigner	cve@mitre.org
Data Type	CVE
Data Format	MITRE
Data Version	4.0
Problem Type	CWE-79
CVE Data Version	4.0

Base Metric V2

CVSS 2 - Version	2.0
CVSS 2 - Vector String	AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS 2 - Access Vector	NETWORK
CVSS 2 - Access Complexity	MEDIUM
CVSS 2 - Authentication	SINGLE
CVSS 2 - Confidentiality Impact	NONE
CVSS 2 - Availability Impact	NONE
CVSS 2 - Base Score	3.5
Severity	LOW
Exploitability Score	6.8
Impact Score	2.9
Obtain All Privilege	false
Obtain User Privilege	false
Obtain Other Privilege	false

Base Metric V3

CVSS 3 - Version	3.0
CVSS 3 - Vector String	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS 3 - Attack Vector	NETWORK
CVSS 3 - Attack Complexity	LOW
CVSS 3 - Privileges Required	LOW
CVSS 3 - User Interaction	REQUIRED
CVSS 3 - Scope	CHANGED
CVSS 3 - Confidentiality Impact	LOW
CVSS 3 - Integrity Impact	LOW
CVSS 3 - Availability Impact	NONE
CVSS 3 - Base Score	5.4
CVSS 3 - Base Severity	MEDIUM
Exploitability Score	2.3
Base Severity	MEDIUM

Configurations

Vulnerable Software List

Vendor	Product	Versions
Cisco	Application Policy Infrastructure Controller	3.2(5d), 4.0(3d)

References