CVE-2020-3598 - OpenCVE

A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to access confidential information or make configuration changes. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to read confidential information or make configuration changes.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Cisco	Vision Dynamic Signage Director

Configuration 1 [-]

OR	cpe:2.3:a:cisco:vision_dynamic_signage_director::::::::
	cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:-::::::
	cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp1::::::
	cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp2::::::
	cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp3::::::
	cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp4::::::
	cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp5::::::

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-missing-auth-rQO88rnj	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cisco

Published: 2020-10-07T00:00:00

Updated: 2020-10-08T04:21:00

Reserved: 2019-12-12T00:00:00

Link: CVE-2020-3598

JSON object: View

NVD Information

Status : Modified

Published: 2020-10-08T05:15:15.757

Modified: 2023-11-07T03:22:59.770

Link: CVE-2020-3598

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"containers": {"cna": {"affected": [{"product": "Cisco Vision Dynamic Signage Director ", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-10-07T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to access confidential information or make configuration changes. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to read confidential information or make configuration changes."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-08T04:21:00", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20201007 Cisco Vision Dynamic Signage Director Missing Authentication Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-missing-auth-rQO88rnj"}], "source": {"advisory": "cisco-sa-cvdsd-missing-auth-rQO88rnj", "defect": [["CSCvv21344"]], "discovery": "INTERNAL"}, "title": "Cisco Vision Dynamic Signage Director Missing Authentication Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2020-10-07T16:00:00", "ID": "CVE-2020-3598", "STATE": "PUBLIC", "TITLE": "Cisco Vision Dynamic Signage Director Missing Authentication Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Vision Dynamic Signage Director ", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to access confidential information or make configuration changes. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to read confidential information or make configuration changes."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "}], "impact": {"cvss": {"baseScore": "6.5", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N ", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306"}]}]}, "references": {"reference_data": [{"name": "20201007 Cisco Vision Dynamic Signage Director Missing Authentication Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-missing-auth-rQO88rnj"}]}, "source": {"advisory": "cisco-sa-cvdsd-missing-auth-rQO88rnj", "defect": [["CSCvv21344"]], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2020-3598", "datePublished": "2020-10-07T00:00:00", "dateReserved": "2019-12-12T00:00:00", "dateUpdated": "2020-10-08T04:21:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:vision_dynamic_signage_director:*:*:*:*:*:*:*:*", "matchCriteriaId": "E93E33BA-3B7B-4AE6-9524-997E4EF17473", "versionEndExcluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "0E9D9D82-2082-4127-9526-D05EE9547577", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "FD412C57-3DB3-4D46-B48A-39348157E977", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "FF7B8D97-A800-4D89-A952-3C1DE419D938", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp3:*:*:*:*:*:*", "matchCriteriaId": "F656F305-6069-4132-AC4A-A8C4146EB433", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp4:*:*:*:*:*:*", "matchCriteriaId": "34CEA4BF-2040-4FE9-8DF7-D8145D5D9809", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:vision_dynamic_signage_director:6.2.0:sp5:*:*:*:*:*:*", "matchCriteriaId": "F846D6A8-F754-484B-A081-15D71C3C1112", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to access confidential information or make configuration changes. The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to read confidential information or make configuration changes."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Cisco Vision Dynamic Signage Director, podr\u00eda permitir a un atacante remoto no autenticado acceder a informaci\u00f3n confidencial o realizar cambios de configuraci\u00f3n. La vulnerabilidad es debido a una falta de autenticaci\u00f3n para una secci\u00f3n espec\u00edfica de la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el acceso a una URL creada. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante obtener acceso a una secci\u00f3n de la interfaz, que podr\u00eda ser usada para leer informaci\u00f3n confidencial o realizar cambios de configuraci\u00f3n"}], "id": "CVE-2020-3598", "lastModified": "2023-11-07T03:22:59.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2020-10-08T05:15:15.757", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-missing-auth-rQO88rnj"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}