← Back

CVE-2020-3589

nvd nist
Published: Oct 8, 2020Modified: Nov 21, 2024

JSON object

Loading...
4.8
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Exploitability: 1.7 / Impact: 2.7
Source: NVD

Description

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need to have valid administrative credentials.

Affected (52)

Cisco
1 product
Identity Services Engine
Configuration A
52 vulnerable
Vulnerable SoftwareAffected Versions
Cisco
Identity Services Engine
Version 2.2.0.470 patch10
Identity Services Engine
Version 2.2.0.470 patch11
Identity Services Engine
Version 2.2.0.470 patch12
Identity Services Engine
Version 2.2.0.470 patch13
Identity Services Engine
Version 2.2.0.470 patch14
Identity Services Engine
Version 2.2.0.470 patch15
Identity Services Engine
Version 2.2.0.470 patch16
Identity Services Engine
Version 2.2.0.470 patch1
Identity Services Engine
Version 2.2.0.470 patch2
Identity Services Engine
Version 2.2.0.470 patch3
Identity Services Engine
Version 2.2.0.470 patch4
Identity Services Engine
Version 2.2.0.470 patch5
Identity Services Engine
Version 2.2.0.470 patch6
Identity Services Engine
Version 2.2.0.470 patch7
Identity Services Engine
Version 2.2.0.470 patch8
Identity Services Engine
Version 2.2.0.470 patch9
Identity Services Engine
Version 2.2.0 patch16
Identity Services Engine
Version 2.3.0.298
Identity Services Engine
Version 2.3.0.298 patch1
Identity Services Engine
Version 2.3.0.298 patch2
Identity Services Engine
Version 2.3.0.298 patch3
Identity Services Engine
Version 2.3.0.298 patch4
Identity Services Engine
Version 2.3.0.298 patch5
Identity Services Engine
Version 2.3.0.298 patch6
Identity Services Engine
Version 2.3.0.298 patch7
Identity Services Engine
Version 2.3.0 patch7
Identity Services Engine
Version 2.4.0.357
Identity Services Engine
Version 2.4.0.357 patch10
Identity Services Engine
Version 2.4.0.357 patch1
Identity Services Engine
Version 2.4.0.357 patch2
Identity Services Engine
Version 2.4.0.357 patch3
Identity Services Engine
Version 2.4.0.357 patch4
Identity Services Engine
Version 2.4.0.357 patch5
Identity Services Engine
Version 2.4.0.357 patch6
Identity Services Engine
Version 2.4.0.357 patch7
Identity Services Engine
Version 2.4.0.357 patch8
Identity Services Engine
Version 2.4.0.357 patch9
Identity Services Engine
Version 2.4.0 patch12
Identity Services Engine
Version 2.6.0.156 patch1
Identity Services Engine
Version 2.6.0.156 patch2
Identity Services Engine
Version 2.6.0.156 patch3
Identity Services Engine
Version 2.6.0.156 patch5
Identity Services Engine
Version 2.6.0.156 patch6
Identity Services Engine
Version 2.6.0.156 patch7
Identity Services Engine
Version 2.6.0
Identity Services Engine
Version 2.6.0 patch1
Identity Services Engine
Version 2.6.0 patch2
Identity Services Engine
Version 2.6.0 patch3
Identity Services Engine
Version 2.6.0 patch5
Identity Services Engine
Version 2.6.0 patch6
Identity Services Engine
Version 2.6.0 patch7
Identity Services Engine
Version 2.7.0 patch2

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: psirt@cisco.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.