Page 11 of 61 results (0.007 seconds)

CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0

A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to gain additional privileges on an affected device. The vulnerability is due to improper controls on certain pages in the web interface. An attacker could exploit this vulnerability by authenticating to the device with an administrator account and sending a crafted HTTP request. A successful exploit could allow the attacker to create additional Admin accounts with different user roles. An attacker could then use these accounts to perform actions within their scope. • http://www.securityfocus.com/bid/106707 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-privilege • CWE-284: Improper Access Control •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of requests stored in the system's logging database. An attacker could exploit this vulnerability by sending malicious requests to the targeted system. An exploit could allow the attacker to conduct cross-site scripting attacks when an administrator views the logs in the Admin Portal. Una vulnerabilidad en el componente logging en Cisco Identity Services Engine podría permitir que un atacante remoto no autenticado lleve a cabo ataques Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/106708 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-isel-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0

A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin Portal. An attacker with read or write access to the Admin Portal could exploit this vulnerability by browsing to a page that contains sensitive data. An exploit could allow the attacker to recover passwords for unauthorized use and expose those accounts to further attack. Una vulnerabilidad en el portal de administrador de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto autenticado visualice contraseñas guardadas en texto plano. • http://www.securityfocus.com/bid/106512 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-passwd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •

CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. Una vulnerabilidad en la interfaz de gestión web de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto autenticado ejecute comandos arbitrarios en el sistema operativo subyacente de un dispositivo afectado con los privilegios del servidor web. • http://www.securitytracker.com/id/1041792 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ise-mult-vulns • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvf72309. • http://www.securityfocus.com/bid/104424 http://www.securitytracker.com/id/1041066 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-ise-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •