CVE-2018-0278
02.05.2018, 22:29
A vulnerability in the management console of Cisco Firepower System Software could allow an unauthenticated, remote attacker to access sensitive data about the system. The vulnerability is due to improper cross-origin domain protections for the WebSocket protocol. An attacker could exploit this vulnerability by convincing a user to visit a malicious website designed to send requests to the affected application while the user is logged into the application with an active session cookie. A successful exploit could allow the attacker to retrieve policy or configuration information from the affected software and to perform another attack against the management console. Cisco Bug IDs: CSCvh68311.Enginsight
| Vendor | Product | Version |
|---|---|---|
| cisco | secure_firewall_management_center | 6.1.0 |
| cisco | secure_firewall_management_center | 6.2.0 |
| cisco | secure_firewall_management_center | 6.2.1 |
| cisco | secure_firewall_management_center | 6.2.2 |
| cisco | secure_firewall_management_center | 6.2.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.