Cisco today released an updated version for its IOS XE software to patch a high severity cross-site request forgery (CSRF) vulnerability. Demo exploit code is available.
Hackers can leverage CSRF flaws to force the execution of unwanted actions in web pages or apps where the victim user has already authenticated.
These attacks can be deployed via a malicious link and the action is executed with the same privileges of the logged in user.
Multiple versions affected
Identified as CVE-2019-1904, the vulnerability affects outdated versions of Cisco IOS XE and has a severity score of 8.8 out of 10. It exists in the web-based user interface of the product.