CVE-2019-1673

Опубликовано: 08 фев. 2019

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. For information about fixed software releases, consult the Cisco bug ID at https://quickview.cloudapps.cisco.com/quickview/bug/CSCvn64652. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a compl

Ссылки

http://www.securityfocus.com/bid/106915
Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-ise-xss
Vendor Advisory
http://www.securityfocus.com/bid/106915
Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-ise-xss
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cisco:identity_services_engine:2.5\(0.353\):*:*:*:*:*:*:*

EPSS

Процентиль: 41%

0.00195

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-667v-j225-pqfx

CVSS3: 5.4

github

больше 3 лет назад

BDU:2019-00741

CVSS3: 6.1

fstec

около 7 лет назад

Уязвимость веб-интерфейса платформы управления политиками соединений Cisco Identity Services Engine, позволяющая нарушителю внедрить в загружаемую страницу произвольный JavaScript-код и получить доступ к защищаемым данным