CVE-2019-12624

HIGH

Cisco Ios XE < 3.11.xe - CSRF

Title source: rule

Description

A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user.

Exploits (1)

exploitdb WORKING POC

by Mehmet Onder · textwebappshardware

https://www.exploit-db.com/exploits/47153

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-iosxe-ngwc-csrf

Scores

CVSS v3 8.8

EPSS 0.0239

EPSS Percentile 85.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (1)

cisco/ios_xe 3.0.xe - 3.11.xe

Published Aug 21, 2019

Tracked Since Feb 18, 2026