CVE-2024-20369

15.05.2024, 18:15

A vulnerability in the web-based management interface of Cisco Crosswork Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.


 This vulnerability is due to improper input validation of a parameter in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
cisco	CNA	4.7 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Vendor	Product	Version
cisco	network_services_orchestrator	5.4 ≤ 𝑥 < 5.5.10.1
cisco	network_services_orchestrator	5.6 ≤ 𝑥 < 5.6.14.3
cisco	network_services_orchestrator	5.7 ≤ 𝑥 < 5.7.15
cisco	network_services_orchestrator	5.8 ≤ 𝑥 < 5.8.13.1
cisco	network_services_orchestrator	6.0 ≤ 𝑥 < 6.0.12
cisco	network_services_orchestrator	6.1 ≤ 𝑥 < 6.1.7
cisco	network_services_orchestrator	6.2 ≤ 𝑥 < 6.2.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-ordir-MNM8YqzO