CVE Vulnerability

CVE-2018-19525

An issue was discovered on Systrome ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. There is CSRF via /ui/?g=obj_keywords_add and /ui/?g=obj_keywords_addsave with resultant XSS because of a lack of csrf token validation.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.1 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
http://seclists.org/fulldisclosure/2019/Feb/31 Exploit Mailing List
http://packetstormsecurity.com/files/151647/SYSTORME-ISG-Cross-Site-Request-Forgery.html Exploit Third Party Advisory
https://www.breakthesec.com/2019/02/cve-2018-19525-account-takeover-via.html Exploit Third Party Advisory
https://s3curityb3ast.github.io/KSA-Dev-002.md Exploit Third Party Advisory
Configurations

Configuration 1
Information

Published : 2019-03-21 04:00

Updated : 2020-08-24 05:37

NVD link : CVE-2018-19525

Mitre link : CVE-2018-19525

Products Affected

Cumilon Isg-800w Firmware

Systrome

CWE
CWE-352

CWE-79