CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2018-15459 – Cisco Identity Services Engine Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2018-15459
A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to gain additional privileges on an affected device. The vulnerability is due to improper controls on certain pages in the web interface. An attacker could exploit this vulnerability by authenticating to the device with an administrator account and sending a crafted HTTP request. A successful exploit could allow the attacker to create additional Admin accounts with different user roles. An attacker could then use these accounts to perform actions within their scope. • http://www.securityfocus.com/bid/106707 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-privilege • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-0187 – Cisco Identity Services Engine Privileged Account Sensitive Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2018-0187
A vulnerability in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain confidential information for privileged accounts. The vulnerability is due to the improper handling of confidential information. An attacker could exploit this vulnerability by logging into the web interface on a vulnerable system. An exploit could allow an attacker to obtain confidential information for privileged accounts. This information could then be used to impersonate or negatively impact the privileged account on the affected system. • http://www.securityfocus.com/bid/106717 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-info-disclosure • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15463 – Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-15463
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface of an affected device. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. Una vulnerabilidad en la interfaz de gestión web de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS) reflejado contra un usuario de dicha interfaz. • http://www.securityfocus.com/bid/106513 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-multi-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15440 – Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2018-15440
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of an affected system. The vulnerability is due to insufficient sanitization of user-supplied data that is written to log files and displayed in certain web pages of the web-based management interface of an affected device. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link or view an affected log file. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. Una vulnerabilidad en la interfaz de gestión web de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de Cross-Site Scripting (XSS) persistente contra un usuario de dicha interfaz en un sistema afectado. • http://www.securityfocus.com/bid/106513 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-multi-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0CVE-2018-15456 – Cisco Identity Services Engine Password Recovery Vulnerability
https://notcve.org/view.php?id=CVE-2018-15456
A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin Portal. An attacker with read or write access to the Admin Portal could exploit this vulnerability by browsing to a page that contains sensitive data. An exploit could allow the attacker to recover passwords for unauthorized use and expose those accounts to further attack. Una vulnerabilidad en el portal de administrador de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto autenticado visualice contraseñas guardadas en texto plano. • http://www.securityfocus.com/bid/106512 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-ise-passwd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •