Home Unlabelled Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities

Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities

By
Wednesday, January 09, 2019
Read
Add Comment

Two vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack or a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerabilities are not dependent on one another; exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.

Details about the vulnerabilities are as follows.

Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient sanitization of user-supplied data that is written to log files and displayed in certain web pages of the web-based management interface of an affected device. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link or view an affected log file. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information.

The CVE ID for this vulnerability is: CVE-2018-15440

The Security Impact Rating (SIR) for this vulnerability is: Medium

Cisco Identity Services Engine Reflected Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based interface.

The vulnerability is due to insufficient input validation of some parameters passed to the web-based management interface of an affected device. An attacker could exploit this vulnerability by convincing a user of the interface to click a specific link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web-based management interface or allow the attacker to access sensitive browser-based information.

The CVE ID for this vulnerability is: CVE-2018-15463

The Security Impact Rating (SIR) for this vulnerability is: Medium



from Cisco Security Advisory http://bit.ly/2SMUktA
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us