CVE-2024-20414 - Cross-Site Request Forgery (CSRF)

Severity

65%

Complexity

27%

Confidentiality

60%

A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system through the web UI. This vulnerability is due to incorrectly accepting configuration changes through the HTTP GET method. An attacker could exploit this vulnerability by persuading a currently authenticated administrator to follow a crafted link. A successful exploit could allow the attacker to change the configuration of the affected device.

CVSS 3.1 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).

Demo Examples

Cross-Site Request Forgery (CSRF)

CWE-352

This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists.

The following HTML is intended to allow a user to update a profile.


               
</form>

profile.php contains the following code.


               
}//if the session is registered to a valid user then allow update

                     
exit;// Redirect user to login page
// The user session is valid, so process the request// and update the information

                     
echo "Your profile has been successfully updated.";// read in the data from $POST and send an update// to the database

This code may look protected since it checks for a valid session. However, CSRF attacks can be staged from virtually any tag or HTML construct, including image tags, links, embed or object tags, or other attributes that load background images.

The attacker can then host code that will silently change the username and email address of any user that visits the page while remaining logged in to the target web application. The code might be an innocent-looking web page such as:


               
</form>
form.submit();// send to profile.php

Notice how the form contains hidden fields, so when it is loaded into the browser, the user will not notice it. Because SendAttack() is defined in the body's onload attribute, it will be automatically called when the victim loads the web page.

Assuming that the user is already logged in to victim.example.com, profile.php will see that a valid user session has been established, then update the email address to the attacker's own address. At this stage, the user's identity has been compromised, and messages sent through this profile could be sent to the attacker's address.

Overview

Type

Cisco IOS

First reported 4 months ago

2024-09-25 17:15:00

Last updated 4 months ago

2024-10-02 20:02:00

Affected Software

Cisco IOS XE 3.2.0SG

3.2.0sg

Cisco IOS XE 3.10.6S

3.10.6s

Cisco IOS XE 3.6.5BE

3.6.5be

Cisco IOS XE 3.14.4S

3.14.4s

Cisco IOS XE 3.15.1cS

3.15.1cs

Cisco IOS XE 3.4.1SG

3.4.1sg

Cisco IOS XE 3.6.5AE

3.6.5ae

Cisco IOS XE 3.6.6E

3.6.6e

Cisco IOS XE 3.8.0s

3.8.0s

Cisco IOS XE 3.8.1S

3.8.1s

Cisco IOS XE 3.14.1S

3.14.1s

Cisco IOS XE 3.7.1s

3.7.1s

Cisco IOS XE 3.10.5S

3.10.5s

Cisco IOS XE 3.5.1E

3.5.1e

Cisco IOS XE 3.4.2SG

3.4.2sg

Cisco IOS XE 3.9.0AS

3.9.0as

Cisco IOS XE 3.4.4SG

3.4.4sg

Cisco IOS XE 3.9.1AS

3.9.1as

Cisco IOS XE 3.10.1S

3.10.1s

Cisco IOS XE 3.9.0s

3.9.0s

Cisco IOS XE 3.3.1SG

3.3.1sg

Cisco IOS XE 3.17.1AS

3.17.1as

Cisco IOS XE 3.10.2S

3.10.2s

Cisco IOS XE 3.4.6SG

3.4.6sg

Cisco IOS XE 3.18.0AS

3.18.0as

Cisco IOS XE 3.7.4AS

3.7.4as

Cisco IOS XE 3.7.0BS

3.7.0bs

Cisco IOS XE 3.6.7E

3.6.7e

Cisco IOS XE 3.9.2S

3.9.2s

Cisco IOS XE 3.16.0cS

3.16.0cs

Cisco IOS XE 3.11.2S

3.11.2s

Cisco IOS XE 3.14.3S

3.14.3s

Cisco IOS XE 3.2.2SE

3.2.2se

Cisco IOS XE 3.17.2S

3.17.2s

Cisco IOS XE 3.10.1XBS

3.10.1xbs

Cisco IOS XE 3.2.3SE

3.2.3se

Cisco IOS XE 3.2.3SG

3.2.3sg

Cisco IOS XE 3.4.8SG

3.4.8sg

Cisco IOS XE 3.3.1SE

3.3.1se

Cisco IOS XE 3.10.3S

3.10.3s

Cisco IOS XE 3.14.0S

3.14.0s

Cisco IOS XE 3.5.2E

3.5.2e

Cisco IOS XE 3.2.11SG

3.2.11sg

Cisco IOS XE 3.10.7S

3.10.7s

Cisco IOS XE 3.3.2SG

3.3.2sg

Cisco IOS XE 3.16.1S

3.16.1s

Cisco IOS XE 3.7.5E

3.7.5e

Cisco IOS XE 3.2.0SG

3.2.1sg

Cisco IOS XE 3.3.0SE

3.3.0se

Cisco IOS XE 3.4.5SG

3.4.5sg

Cisco IOS XE 3.11.0S

3.11.0s

Cisco IOS XE 3.12.0AS

3.12.0as

Cisco IOS XE 3.9.1s

3.9.1s

Cisco IOS XE 3.4.3SG

3.4.3sg

Cisco IOS XE 16.1.1

16.1.1

Cisco IOS XE 3.8.2E

3.8.2e

Cisco IOS XE 3.7.0s

3.7.0s

Cisco IOS XE 3.5.4SQ

3.5.4sq

Cisco IOS XE 3.18.0S

3.18.0s

Cisco IOS XE 3.10.0S

3.10.0s

Cisco IOS XE 3.8.2S

3.8.2s

Cisco IOS XE 3.7.2E

3.7.2e

Cisco IOS XE 3.14.2S

3.14.2s

Cisco IOS XE 3.15.4S

3.15.4s

Cisco IOS XE 3.16.2BS

3.16.2bs

Cisco IOS XE 3.16.1AS

3.16.1as

Cisco IOS XE 3.2.4SG

3.2.4sg

Cisco IOS XE 3.13.3S

3.13.3s

Cisco IOS XE 3.7.2s

3.7.2s

Cisco IOS XE 3.2.1SE

3.2.1se

Cisco IOS XE 3.4.0SG

3.4.0sg

Cisco IOS XE 3.5.5SQ

3.5.5sq

Cisco IOS XE 3.6.5E

3.6.5e

Cisco IOS XE 3.5.0E

3.5.0e

Cisco IOS XE 3.2.2SG

3.2.2sg

Cisco IOS XE 3.4.7SG

3.4.7sg

Cisco IOS XE 3.3.0SG

3.3.0sg

Cisco IOS XE 3.11.1S

3.11.1s

Cisco IOS XE 16.5.1

16.5.1

Cisco IOS XE 16.3.4

16.3.4

Cisco IOS XE 3.9.2E

3.9.2e

Cisco IOS XE 16.5.1B

16.5.1b

Cisco IOS XE 16.4.2

16.4.2

Cisco IOS XE16.9.1

16.9.1

Cisco IOS XE 3.8.5E

3.8.5e

Cisco IOS XE 3.5.6SQ

3.5.6sq

Cisco IOS XE 16.3.5

16.3.5

Cisco IOS XE 16.5.2

16.5.2

Cisco IOS XE 3.5.7SQ

3.5.7sq

Cisco IOS XE 3.8.5AE

3.8.5ae

Cisco IOS XE 16.8.1A

16.8.1a

Cisco IOS XE 16.8.1S

16.8.1s

Cisco IOS XE 16.8.1B

16.8.1b

Cisco IOS XE 16.8.2

16.8.2

Cisco IOS XE 16.8.1D

16.8.1d

Cisco IOS XE 16.7.3

16.7.3

Cisco IOS XE 16.7.1A

16.7.1a

Cisco IOS XE 16.7.1B

16.7.1b

Cisco IOS XE 16.8.1C

16.8.1c

Cisco IOS XE 16.8.1E

16.8.1e

Cisco IOS XE 16.4.3

16.4.3

Cisco IOS XE 3.6.8E

3.6.8e

Cisco IOS XE 3.10.0CE

3.10.0ce

Cisco IOS XE 3.18.3ASP

3.18.3asp

Cisco IOS XE 3.10.0E

3.10.0e

Cisco IOS XE 16.9.1S

16.9.1s

Cisco IOS XE 3.16.7AS

3.16.7as

Cisco IOS XE 3.18.4S

3.18.4s

Cisco IOS XE 3.18.3BSP

3.18.3bsp

Cisco IOS XE 16.9.1B

16.9.1b

Cisco IOS XE 3.16.7BS

3.16.7bs

Cisco IOS XE 3.18.4SP

3.18.4sp

Cisco IOS XE 3.6.7BE

3.6.7be

Cisco IOS XE 16.5.3

16.5.3

Cisco IOS XE 3.10.1E

3.10.1e

Cisco IOS XE 3.6.10E

3.6.10e

Cisco IOS XE 16.3.7

16.3.7

Cisco IOS XE 16.3.8

16.3.8

Cisco IOS XE 3.13.10S

3.13.10s

Cisco IOS XE 3.10.10S

3.10.10s

Cisco IOS XE 16.6.4

16.6.4

Cisco IOS XE 3.18.5SP

3.18.5sp

Cisco IOS XE 3.16.8S

3.16.8s

Cisco IOS XE 3.10.2E

3.10.2e

Cisco IOS XE 3.6.9E

3.6.9e

Cisco IOS XE 3.8.7E

3.8.7e

Cisco IOS XE 16.10.1

16.10.1

Cisco IOS XE 16.7.4

16.7.4

Cisco IOS XE 16.9.1A

16.9.1a

Cisco IOS XE 16.9.2

16.9.2

Cisco IOS XE 16.6.4A

16.6.4a

Cisco IOS XE 3.5.8SQ

3.5.8sq

Cisco IOS XE 3.16.10S

3.16.10s

Cisco IOS XE 16.12.1

16.12.1

Cisco IOS XE 16.11.1

16.11.1

Cisco IOS XE 17.1.1

17.1.1

Cisco IOS XE 16.10.1S

16.10.1s

Cisco IOS XE 16.10.1D

16.10.1d

Cisco IOS XE 3.11.3E

3.11.3e

Cisco IOS XE 3.11.0E

3.11.0e

Cisco IOS XE 3.16.9S

3.16.9s

Cisco IOS XE 16.6.6

16.6.6

Cisco IOS XE 16.6.5A

16.6.5a

Cisco IOS XE 3.8.8E

3.8.8e

Cisco IOS XE 16.9.3A

16.9.3a

Cisco IOS XE 16.10.1A

16.10.1a

Cisco IOS XE 3.10.3E

3.10.3e

Cisco IOS XE 16.10.1F

16.10.1f

Cisco IOS XE 16.10.1G

16.10.1g

Cisco IOS XE 16.10.2

16.10.2

Cisco IOS XE 16.9.3

16.9.3

Cisco IOS XE 16.12.1Y

16.12.1y

Cisco IOS XE 16.10.1E

16.10.1e

Cisco IOS XE 16.10.1B

16.10.1b

Cisco IOS XE 16.8.3

16.8.3

Cisco IOS XE 16.10.1C

16.10.1c

Cisco IOS XE 3.18.6SP

3.18.6sp

Cisco IOS XE 16.12.2

16.12.2

Cisco IOS XE 3.8.9E

3.8.9e

Cisco IOS XE 3.11.1E

3.11.1e

Cisco IOS XE 3.18.7SP

3.18.7sp

Cisco IOS XE 3.11.1AE

3.11.1ae

Cisco IOS XE 16.12.2A

16.12.2a

Cisco IOS XE 16.10.3

16.10.3

Cisco IOS XE 16.12.4

16.12.4

Cisco IOS XE 16.12.8

16.12.8

Cisco IOS XE 16.9.5

16.9.5

Cisco IOS XE 16.9.5F

16.9.5f

Cisco IOS XE 16.6.8

16.6.8

Cisco IOS XE 3.8.10E

3.8.10e

Cisco IOS 15.2(6)E2A

15.2\(6\)e2a

Cisco IOS 15.2(6)E2B

15.2\(6\)e2b

Cisco IOS 15.2(6)E2

15.2\(6\)e2

Cisco IOS 15.2(7)E

15.2\(7\)e

Cisco IOS 15.2(7)E0s

15.2\(7\)e0s

Cisco IOS 15.2(7)E0A

15.2\(7\)e0a

Cisco IOS 15.2(7A)E0B

15.2\(7a\)e0b

Cisco IOS 15.2(7)E1

15.2\(7\)e1

Cisco IOS 15.2(6)E3

15.2\(6\)e3

Cisco IOS 15.2(7)E1A

15.2\(7\)e1a

Cisco IOS 15.2(7)E0B

15.2\(7\)e0b

Cisco IOS 15.2(6)EB

15.2\(6\)eb

Cisco IOS 15.2(7b)e0b

15.2\(7b\)e0b

References

cisco-sa-ios-webui-HfwnRgk

cisco-sa-ios-webui-HfwnRgk

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.