CVE-2024-20476

Опубликовано: 06 нояб. 2024

Источник: nvd

CVSS3: 4.3

CVSS3: 4.9

EPSS Низкий

Описание

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific file management functions.

This vulnerability is due to lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to upload files to a location that should be restricted. To exploit this vulnerability, an attacker would need valid Read-Only Administrator credentials.

Ссылки

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-vulns-AF544ED5
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cisco:identity_services_engine:*:*:*:*:*:*:*:*

Версия до 3.1 (исключая)

cpe:2.3:a:cisco:identity_services_engine:3.1.0:-:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch3:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch4:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch5:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch6:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch7:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch8:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch9:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:-:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch3:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch4:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch5:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch6:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:-:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch3:*:*:*:*:*:*

EPSS

Процентиль: 14%

0.00047

Низкий

4.3 Medium

CVSS3

4.9 Medium

CVSS3

Дефекты

CWE-602

NVD-CWE-Other

Связанные уязвимости

GHSA-8xq5-r7g5-m3f8

CVSS3: 4.3

github

больше 1 года назад

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific file management functions. This vulnerability is due to lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to upload files to a location that should be restricted. To exploit this vulnerability, an attacker would need valid Read-Only Administrator credentials.

BDU:2024-09471

CVSS3: 4.3

fstec

больше 1 года назад

Уязвимость веб-интерфейса управления платформы управления политиками соединений Cisco Identity Services Engine (ISE), позволяющая нарушителю загружать произвольные файлы

EPSS

Процентиль: 14%

0.00047

Низкий

4.3 Medium

CVSS3

4.9 Medium

CVSS3

Дефекты

CWE-602

NVD-CWE-Other