CVE-2024-20414

MEDIUM

Cisco IOS XE - Unauthenticated Cross-Site Request Forgery via HTTP GET Method

Title source: llm

Description

A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system through the web UI. This vulnerability is due to incorrectly accepting configuration changes through the HTTP GET method. An attacker could exploit this vulnerability by persuading a currently authenticated administrator to follow a crafted link. A successful exploit could allow the attacker to change the configuration of the affected device.

References (1)

Core 1

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-webui-HfwnRgk

Scores

CVSS v3 6.5

EPSS 0.0032

EPSS Percentile 55.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-352

Status published

Products (50)

cisco/ios 15.2\(6\)e2

cisco/ios 15.2\(6\)e2a

cisco/ios 15.2\(6\)e2b

cisco/ios 15.2\(6\)e3

cisco/ios 15.2\(6\)eb

cisco/ios 15.2\(7\)e

cisco/ios 15.2\(7\)e0a

cisco/ios 15.2\(7\)e0b

cisco/ios 15.2\(7\)e0s

cisco/ios 15.2\(7\)e1

... and 40 more

Published Sep 25, 2024

Tracked Since Feb 18, 2026