CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0CVE-2018-15456 – Cisco Identity Services Engine Password Recovery Vulnerability
https://notcve.org/view.php?id=CVE-2018-15456
A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin Portal. An attacker with read or write access to the Admin Portal could exploit this vulnerability by browsing to a page that contains sensitive data. An exploit could allow the attacker to recover passwords for unauthorized use and expose those accounts to further attack. Una vulnerabilidad en el portal de administrador de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto autenticado visualice contraseñas guardadas en texto plano. • http://www.securityfocus.com/bid/106512 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-passwd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2018-15425 – Multiple Vulnerabilities in Cisco Identity Services Engine
https://notcve.org/view.php?id=CVE-2018-15425
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. Una vulnerabilidad en la interfaz de gestión web de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto autenticado ejecute comandos arbitrarios en el sistema operativo subyacente de un dispositivo afectado con los privilegios del servidor web. • http://www.securitytracker.com/id/1041792 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ise-mult-vulns • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15424 – Multiple Vulnerabilities in Cisco Identity Services Engine
https://notcve.org/view.php?id=CVE-2018-15424
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. Una vulnerabilidad en la interfaz de gestión web de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto autenticado ejecute comandos arbitrarios en el sistema operativo subyacente de un dispositivo afectado con los privilegios del servidor web. • http://www.securitytracker.com/id/1041792 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-ise-mult-vulns • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2018-0277
https://notcve.org/view.php?id=CVE-2018-0277
A vulnerability in the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) certificate validation during EAP authentication for the Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause the ISE application server to restart unexpectedly, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to incomplete input validation of the client EAP-TLS certificate. An attacker could exploit this vulnerability by initiating EAP authentication over TLS to the ISE with a crafted EAP-TLS certificate. A successful exploit could allow the attacker to restart the ISE application server, resulting in a DoS condition on the affected system. The ISE application could continue to restart while the client attempts to establish the EAP authentication connection. • http://www.securityfocus.com/bid/104212 http://www.securitytracker.com/id/1040922 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-iseeap • CWE-295: Improper Certificate Validation •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0275
https://notcve.org/view.php?id=CVE-2018-0275
A vulnerability in the support tunnel feature of Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to access the device's shell. The vulnerability is due to improper configuration of the support tunnel feature. An attacker could exploit this vulnerability by tricking the device into unlocking the support user account and accessing the tunnel password and device serial number. A successful exploit could allow the attacker to run any system command with root access. This affects Cisco Identity Services Engine (ISE) software versions prior to 2.2.0.470. • http://www.securitytracker.com/id/1040717 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-ise • CWE-16: Configuration •