Thursday, 17 August 2017
A vulnerability has been found in Cisco AnyConnect Secure Mobility Client (the affected version is unknown) and classified as critical. This vulnerability affects the function
WebLaunch. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. As an impact it is known to affect integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.
The weakness was shared 08/16/2017 by Cisco as cisco-sa-20170816-caw as confirmed advisory (Website). The advisory is shared for download at tools.cisco.com. This vulnerability was named CVE-2017-6788. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 08/17/2017).
Upgrading eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at SecurityTracker (ID 1039190).
CVSSv3
VulDB Base Score: 5.3VulDB Temp Score: 5.1
VulDB Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
VulDB Reliability: High
Vendor Base Score (Cisco): 6.1
Vendor Vector (Cisco): CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X
CVSSv2
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Local | High | Multiple | None | None | None |
| Adjacent | Medium | Single | Partial | Partial | Partial |
| Network | Low | None | Complete | Complete | Complete |
VulDB Temp Score: 3.7 (CVSS2#E:ND/RL:OF/RC:C)
VulDB Reliability: High
CPE
- cpe:/a:cisco:anyconnect_secure_mobility_client
Exploiting
Class: Cross site scripting (CWE-80)Local: No
Remote: Yes
Availability: No
Price Prediction: steady
Current Price Estimation:
| 0-Day | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
|---|---|---|---|---|
| Today | $0-$5k | $5k-$25k | $25k-$100k | $100k-$500k |
Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found
Timeline
08/16/2017 Advisory disclosed08/17/2017 VulDB entry created
08/17/2017 SecurityTracker entry created
08/17/2017 VulDB last update
Sources
Advisory: cisco-sa-20170816-cawResearcher: Cisco
Status: Confirmed
CVE: CVE-2017-6788 (mitre.org) (nvd.nist.org) (cvedetails.com)
Subscribe to:
Post Comments (Atom)
Sectoon
Featured post
27 good hacker documentary
In the eyes of most people, a group of hackers usually extremely boring nothing interesting people, and that if only the computer code in ...
Blog archive
Top certifications to plan in 2018 ?
0 comments:
Post a comment