CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1942 – Cisco Identity Services Engine Blind SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1942
17 Jul 2019 — A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affe... • http://www.securityfocus.com/bid/109283 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1673 – Cisco Identity Services Engine Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2019-1673
08 Feb 2019 — A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to e... • http://www.securityfocus.com/bid/106915 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2018-15459 – Cisco Identity Services Engine Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2018-15459
23 Jan 2019 — A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to gain additional privileges on an affected device. The vulnerability is due to improper controls on certain pages in the web interface. An attacker could exploit this vulnerability by authenticating to the device with an administrator account and sending a crafted HTTP request. A successful exploit could allow the attacker to create additional Admin accounts with differ... • http://www.securityfocus.com/bid/106707 • CWE-284: Improper Access Control •