CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-1851 – Cisco Identity Services Engine Arbitrary Client Certificate Creation Vulnerability
https://notcve.org/view.php?id=CVE-2019-1851
A vulnerability in the External RESTful Services (ERS) API of the Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to generate arbitrary certificates signed by the Internal Certificate Authority (CA) Services on ISE. This vulnerability is due to an incorrect implementation of role-based access control (RBAC). An attacker could exploit this vulnerability by crafting a specific HTTP request with administrative credentials. A successful exploit could allow the attacker to generate a certificate that is signed and trusted by the ISE CA with arbitrary attributes. The attacker could use this certificate to access other networks or assets that are protected by certificate authentication. • http://www.securityfocus.com/bid/108356 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-ise-certcreation • CWE-285: Improper Authorization •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-15455 – Cisco Identity Services Engine Logging Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2018-15455
A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of requests stored in the system's logging database. An attacker could exploit this vulnerability by sending malicious requests to the targeted system. An exploit could allow the attacker to conduct cross-site scripting attacks when an administrator views the logs in the Admin Portal. Una vulnerabilidad en el componente logging en Cisco Identity Services Engine podría permitir que un atacante remoto no autenticado lleve a cabo ataques Cross-Site Scripting (XSS). • http://www.securityfocus.com/bid/106708 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-isel-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2018-15459 – Cisco Identity Services Engine Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2018-15459
A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to gain additional privileges on an affected device. The vulnerability is due to improper controls on certain pages in the web interface. An attacker could exploit this vulnerability by authenticating to the device with an administrator account and sending a crafted HTTP request. A successful exploit could allow the attacker to create additional Admin accounts with different user roles. An attacker could then use these accounts to perform actions within their scope. • http://www.securityfocus.com/bid/106707 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-privilege • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0187 – Cisco Identity Services Engine Privileged Account Sensitive Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2018-0187
A vulnerability in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain confidential information for privileged accounts. The vulnerability is due to the improper handling of confidential information. An attacker could exploit this vulnerability by logging into the web interface on a vulnerable system. An exploit could allow an attacker to obtain confidential information for privileged accounts. This information could then be used to impersonate or negatively impact the privileged account on the affected system. • http://www.securityfocus.com/bid/106717 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-info-disclosure • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15463 – Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-15463
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface of an affected device. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. Una vulnerabilidad en la interfaz de gestión web de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS) reflejado contra un usuario de dicha interfaz. • http://www.securityfocus.com/bid/106513 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-multi-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •