Guest

Preview Tool

Cisco Bug: CSCvv15134 - vManage /logout should accept only HTTP Method - POST

Last Modified

Sep 23, 2020

Products (1)

  • Cisco SD-WAN

Known Affected Releases

19.2.3 20.3 20.4

Description (partial)

Symptom:
vManage Logout API - https://vmanage:443/logout should accept only HTTP Method - POST and must require a valid CSRF token.
In the current implementation, one can logout of the vManage by sending a HTTP GET requrest to https://vmanage:443/logout with a valid session cookie (JSESSION ID)
This method allows an attacker to make user logout of the session by making the user click a vulnerable website which has a hidden form with action as "https://vmanage:443/logout" HTTP GET on load or has an hidden iFrame to https://vmanage:443/logout
Hence, it is mandatory to stop supporting HTTP GET on URL - https://vmanage:443/logout and accept only HTTP POST with CSRF token for https://vmanage:443/logout

Conditions:
Under normal operations
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.