CVSS: 5.4EPSS: 0%CPEs: 33EXPL: 0CVE-2022-20967
https://notcve.org/view.php?id=CVE-2022-20967
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks. Cisco has not yet released software updates that address this vulnerability. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Identity Services Engine podría permitir que un atacante remoto autenticado realice ataques de cross-site scripting contra otros usuarios de la interfaz de administración basada en web de la aplicación. Esta vulnerabilidad se debe a una validación inadecuada de la entrada a una función de la aplicación antes del almacenamiento dentro de la interfaz de administración basada en web. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 33EXPL: 0CVE-2022-20964
https://notcve.org/view.php?id=CVE-2022-20964
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system. This vulnerability is due to improper validation of user input within requests as part of the web-based management interface. An attacker could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands. A successful exploit could allow the attacker to execute arbitrary operating system commands on the underlying operating system with the privileges of the web services user. Cisco has not yet released software updates that address this vulnerability. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Identity Services Engine podría permitir que un atacante remoto autenticado inyecte comandos arbitrarios en el sistema operativo subyacente. Esta vulnerabilidad se debe a una validación inadecuada de la entrada del usuario dentro de las solicitudes como parte de la interfaz de administración basada en web. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 33EXPL: 0CVE-2022-20966
https://notcve.org/view.php?id=CVE-2022-20966
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks. Cisco has not yet released software updates that address this vulnerability. Una vulnerabilidad en la interfaz de administración basada en web de Cisco Identity Services Engine podría permitir que un atacante remoto autenticado realice ataques de cross-site scripting contra otros usuarios de la interfaz de administración basada en web de la aplicación. Esta vulnerabilidad se debe a una validación inadecuada de la entrada a una función de la aplicación antes del almacenamiento dentro de la interfaz de administración basada en web. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 33EXPL: 0CVE-2022-20965
https://notcve.org/view.php?id=CVE-2022-20965
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to take privileges actions within the web-based management interface. This vulnerability is due to improper access control on a feature within the web-based management interface of the affected system. An attacker could exploit this vulnerability by accessing features through direct requests, bypassing checks within the application. A successful exploit could allow the attacker to take privileged actions within the web-based management interface that should be otherwise restricted. {{value}} ["%7b%7bvalue%7d%7d"])}]] Una vulnerabilidad en la interfaz de administración basada en web de Cisco Identity Services Engine podría permitir que un atacante remoto autenticado realice acciones de privilegios dentro de la interfaz de administración basada en web. Esta vulnerabilidad se debe a un control de acceso inadecuado a una función dentro de la interfaz de administración basada en web del sistema afectado. Un atacante podría aprovechar esta vulnerabilidad accediendo a funciones a través de solicitudes directas, evitando las comprobaciones dentro de la aplicación. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx • CWE-648: Incorrect Use of Privileged APIs •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-20956
https://notcve.org/view.php?id=CVE-2022-20956
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access system files. This vulnerability is due to improper access control in the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to. Cisco plans to release software updates that address this vulnerability. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx"] Una vulnerabilidad en la interfaz de administración basada en web de Cisco Identity Services Engine (ISE) podría permitir que un atacante remoto autenticado haga una omisión sobre la autorización y acceda a los archivos del sistema. Esta vulnerabilidad se debe a un control de acceso inadecuado en la interfaz de administración basada en web de un dispositivo afectado. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-access-contol-EeufSUCx • CWE-648: Incorrect Use of Privileged APIs •