CVSS: 9.0EPSS: 6%CPEs: 33EXPL: 0CVE-2022-20964
https://notcve.org/view.php?id=CVE-2022-20964
18 Jan 2023 — A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system. This vulnerability is due to improper validation of user input within requests as part of the web-based management interface. An attacker could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands. A successful exploit could allow the atta... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 4%CPEs: 33EXPL: 0CVE-2022-20966
https://notcve.org/view.php?id=CVE-2022-20966
18 Jan 2023 — A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 33EXPL: 0CVE-2022-20965
https://notcve.org/view.php?id=CVE-2022-20965
18 Jan 2023 — A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to take privileges actions within the web-based management interface. This vulnerability is due to improper access control on a feature within the web-based management interface of the affected system. An attacker could exploit this vulnerability by accessing features through direct requests, bypassing checks within the application. A successful exploit could allow the attack... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx • CWE-648: Incorrect Use of Privileged APIs •
CVSS: 5.5EPSS: 0%CPEs: 19EXPL: 0CVE-2022-20963
https://notcve.org/view.php?id=CVE-2022-20963
03 Nov 2022 — A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-stor-xss-kpRBWXY • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 5.3EPSS: 0%CPEs: 18EXPL: 0CVE-2022-20937
https://notcve.org/view.php?id=CVE-2022-20937
03 Nov 2022 — A vulnerability in a feature that monitors RADIUS requests on Cisco Identity Services Engine (ISE) Software could allow an unauthenticated, remote attacker to negatively affect the performance of an affected device. This vulnerability is due to insufficient management of system resources. An attacker could exploit this vulnerability by taking actions that cause Cisco ISE Software to receive specific RADIUS traffic. A successful and sustained exploit of this vulnerability could allow the attacker to cause re... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-sec-atk-dos-zw5RCUYp • CWE-400: Uncontrolled Resource Consumption CWE-410: Insufficient Resource Pool •
CVSS: 10.0EPSS: 0%CPEs: 29EXPL: 0CVE-2022-20961
https://notcve.org/view.php?id=CVE-2022-20961
03 Nov 2022 — A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow ... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-csrf-vgNtTpAs • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 20EXPL: 0CVE-2022-20959 – Cisco Identity Services Engine Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2022-20959
26 Oct 2022 — A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by persuading an authenticated administrator of the web-based management interface to click a malicious link. A successful exploit could allow the atta... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-twLnpy3M • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 27EXPL: 0CVE-2022-20914 – Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-20914
10 Aug 2022 — A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentica... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF • CWE-522: Insufficiently Protected Credentials CWE-549: Missing Password Field Masking •
CVSS: 8.6EPSS: 0%CPEs: 16EXPL: 0CVE-2022-20756 – Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2022-20756
06 Apr 2022 — A vulnerability in the RADIUS feature of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause the affected system to stop processing RADIUS packets. This vulnerability is due to improper handling of certain RADIUS requests. An attacker could exploit this vulnerability by attempting to authenticate to a network or a service where the access server is using Cisco ISE as the RADIUS server. A successful exploit could allow the attacker to cause Cisco ISE to stop processi... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-dos-JLh9TxBp • CWE-399: Resource Management Errors •
CVSS: 6.5EPSS: 0%CPEs: 23EXPL: 0CVE-2022-20782 – Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-20782
06 Apr 2022 — A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with read-only Administrator privileges to the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains sensitive data. A ... • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-exp-YXAWYP3s • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •