CVE-2018-0270

Name of the Vulnerable Software and Affected Versions: Cisco IoT Field Network Director versions prior to 4.1.1-6 Cisco IoT Field Network Director versions prior to 4.2.0-123 Connected Grid Network Management System versions prior to 3.0

Description: A vulnerability in the web-based management interface could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and alter the data of existing users and groups on an affected device. The issue is due to insufficient CSRF protections for the web-based management interface. An attacker could exploit this by persuading a user to follow a malicious link, potentially allowing the attacker to perform arbitrary actions with the privilege level of the affected user, including creating a new, privileged account if the user has administrative privileges.

Recommendations: For Cisco IoT Field Network Director versions prior to 4.1.1-6, update to Release 4.1.1-6 or later. For Cisco IoT Field Network Director versions prior to 4.2.0-123, update to Release 4.2.0-123 or later. For Connected Grid Network Management System versions prior to 3.0, update to Release 3.0 or later.