Page 11 of 61 results (0.013 seconds)

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface of the affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Identity Services Engine (ISE) Software, podría permitir a un atacante remoto no autenticado conducir un ataque de tipo cross-site scripting (XSS) contra un usuario de la interfaz de administración basada en web de un dispositivo afectado . • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-ise-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. At the time of publication, this vulnerability affected Cisco ISE running software releases prior to 2.4.0 Patch 9 and 2.6.0. • http://www.securityfocus.com/bid/109297 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-ise-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data. At the time of publication, this vulnerability affected Cisco ISE running software releases 2.6.0 and prior. • http://www.securityfocus.com/bid/109283 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-ise-sql-inject • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0

A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the Internal Certificate Authority (CA) Services on ISE. This vulnerability is due to an incorrect implementation of role-based access control (RBAC). An attacker could exploit this vulnerability by crafting a specific HTTP request with administrative credentials. A successful exploit could allow the attacker to generate a certificate that is signed and trusted by the ISE CA with arbitrary attributes. The attacker could use this certificate to access other networks or assets that are protected by certificate authentication. • http://www.securityfocus.com/bid/108356 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-ise-certcreation • CWE-285: Improper Authorization •

CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0

A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to gain additional privileges on an affected device. The vulnerability is due to improper controls on certain pages in the web interface. An attacker could exploit this vulnerability by authenticating to the device with an administrator account and sending a crafted HTTP request. A successful exploit could allow the attacker to create additional Admin accounts with different user roles. An attacker could then use these accounts to perform actions within their scope. • http://www.securityfocus.com/bid/106707 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-privilege • CWE-284: Improper Access Control •