4.3
MEDIUM

CVE-2019-1665

Published: 21/02/2019 Updated: 28/02/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

Vulnerability Summary

A vulnerability in the web-based management interface of Cisco HyperFlex software could allow an unauthenticated, remote malicious user to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the malicious user to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Versions before 3.5(1a) are affected.

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Vulnerability Trend

Affected Products

Vendor Product Versions
CiscoHyperflex Hx Data Platform2.6(1a), 2.6(1b), 2.6(1d), 2.6(1e), 3.0(1a), 3.0(1b), 3.0(1c), 3.0(1d), 3.0(1e), 3.0(1h), 3.0(1i)

Vendor Advisories

A vulnerability in the web-based management interface of Cisco HyperFlex software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system The vulnerability is due to insufficient validation of user-supplied input by the web-based manag ...

Recent Articles

Check yo self before you HyperWreck yo self: Cisco fixes gimme-root holes in HyperFlex, plus more security bugs
The Register • Shaun Nichols • 21 Feb 2019

Patches available now spread across more than a dozen advisories

Cisco emitted on Wednesday a bunch of security updates that, your support contract willing, you should test and roll out to installations as soon as possible.
There are 17 advisories in all, including revised versions of previously issues bulletins, with six marked as high in terms of severity and the rest medium. The worst of the lot grants root access to a local attacker, closely followed by another that allows any remote miscreant in without authorization.
Here's a summary of the ...

References