CVE-2024-20539

Опубликовано: 06 нояб. 2024

Источник: nvd

CVSS3: 4.8

EPSS Низкий

Описание

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct a stored XSS attack against a user of the interface.

This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need valid administrative credentials on an affected device.

Ссылки

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-BBRf7mkE
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cisco:identity_services_engine:3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch3:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch4:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch5:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch6:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch7:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.0.0:patch8:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch3:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch4:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch5:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch6:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch7:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.1.0:patch8:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch2:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch3:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch4:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch5:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch6:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:*:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch1:*:*:*:*:*:*

cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch2:*:*:*:*:*:*

EPSS

Процентиль: 31%

0.0012

Низкий

4.8 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-fj4q-693m-8fx4

CVSS3: 4.8

github

больше 1 года назад

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct a stored XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need valid administrative credentials on an affected device.

BDU:2024-09872

CVSS3: 4.8

fstec

больше 1 года назад

Уязвимость веб-интерфейса управления платформы управления политиками соединений Cisco Identity Services Engine (ISE), позволяющая нарушителю проводить межсайтовые сценарные атаки

EPSS

Процентиль: 31%

0.0012

Низкий

4.8 Medium

CVSS3

Дефекты

CWE-79