CVE-2024-20281

Summary

A vulnerability in the web-based management interface of Cisco Nexus Dashboard and Cisco Nexus Dashboard hosted services could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts. Note: There are internal security mechanisms in place that limit the scope of this exploit, reducing the Security Impact Rating of this vulnerability.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Data Center Network Manager12.1(1)affected
CiscoCisco Data Center Network Manager12.1.1eaffected
CiscoCisco Data Center Network Manager12.1.2eaffected
CiscoCisco Data Center Network Manager12.1.3baffected
CiscoCisco Data Center Network Manager12.0.1aaffected
CiscoCisco Data Center Network Manager12.0.2daffected
CiscoCisco Data Center Network Manager12.0.2faffected
CiscoCisco Nexus Dashboard1.1(0c)affected
CiscoCisco Nexus Dashboard1.1(0d)affected
CiscoCisco Nexus Dashboard1.1(2h)affected
CiscoCisco Nexus Dashboard1.1(2i)affected
CiscoCisco Nexus Dashboard1.1(3c)affected
CiscoCisco Nexus Dashboard1.1(3d)affected
CiscoCisco Nexus Dashboard1.1(3e)affected
CiscoCisco Nexus Dashboard1.1(3f)affected
CiscoCisco Nexus Dashboard2.0(1b)affected
CiscoCisco Nexus Dashboard2.0(1d)affected
CiscoCisco Nexus Dashboard2.0(2g)affected
CiscoCisco Nexus Dashboard2.0(2h)affected
CiscoCisco Nexus Dashboard2.1(1d)affected
CiscoCisco Nexus Dashboard2.1(1e)affected
CiscoCisco Nexus Dashboard2.1(2d)affected
CiscoCisco Nexus Dashboard2.1(2f)affected
CiscoCisco Nexus Dashboard2.2(1e)affected
CiscoCisco Nexus Dashboard2.2(1h)affected
CiscoCisco Nexus Dashboard2.2(2d)affected
CiscoCisco Nexus Dashboard2.3(1c)affected
CiscoCisco Nexus Dashboard2.3(2b)affected
CiscoCisco Nexus Dashboard2.3(2c)affected
CiscoCisco Nexus Dashboard2.3(2d)affected
CiscoCisco Nexus Dashboard2.3(2e)affected
CiscoCisco Nexus Dashboard3.0(1f)affected
CiscoCisco Nexus Dashboard OrchestratorN/Aaffected
CiscoCisco Nexus Dashboard Insights2.2.2.125affected
CiscoCisco Nexus Dashboard Insights2.2.2.126affected
CiscoCisco Nexus Dashboard Insights5.0.1.150affected
CiscoCisco Nexus Dashboard Insights5.0.1.154affected
CiscoCisco Nexus Dashboard Insights5.1.0.131affected
CiscoCisco Nexus Dashboard Insights5.1.0.135affected
CiscoCisco Nexus Dashboard Insights6.0.1affected
CiscoCisco Nexus Dashboard Insights6.0.2affected
CiscoCisco Nexus Dashboard Insights6.1.1affected
CiscoCisco Nexus Dashboard Insights6.1.2affected
CiscoCisco Nexus Dashboard Insights6.1.3affected
CiscoCisco Nexus Dashboard Insights6.3.1affected
CiscoCisco Nexus Dashboard Insights6.2.1affected
CiscoCisco Nexus Dashboard Insights6.2.2affected

Weaknesses

  • CWE-352: Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References