CVE-2021-1606

Published: Jul 8, 2021Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. These vulnerabilities exist because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker would need valid administrative credentials.

Affected (17)

Products: Cisco: Identity Services Engine

Cisco

1 product

Identity Services Engine

Configuration A

17 vulnerable

Vulnerable Software	Affected Versions
Cisco Identity Services Engine	Before 2.6.0
Cisco Identity Services Engine	Version 2.6.0
Cisco Identity Services Engine	Version 2.6.0 patch1
Cisco Identity Services Engine	Version 2.6.0 patch2
Cisco Identity Services Engine	Version 2.6.0 patch3
Cisco Identity Services Engine	Version 2.6.0 patch5
Cisco Identity Services Engine	Version 2.6.0 patch6
Cisco Identity Services Engine	Version 2.6.0 patch7
Cisco Identity Services Engine	Version 2.6.0 patch8
Cisco Identity Services Engine	Version 2.6(0.999)
Cisco Identity Services Engine	Version 2.7.0
Cisco Identity Services Engine	Version 2.7.0 patch1
Cisco Identity Services Engine	Version 2.7.0 patch2
Cisco Identity Services Engine	Version 2.7(0.356)
Cisco Identity Services Engine	Version 3.0.0
Cisco Identity Services Engine	Version 3.0.0 patch1
Cisco Identity Services Engine	Version 3.0.0 patch2

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-stored-xss-TWwjVPdL

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-stored-xss-TWwjVPdL

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.