CVE-2024-20539

Published: Nov 6, 2024Modified: Nov 22, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct a stored XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need valid administrative credentials on an affected device.

Affected (28)

Products: Cisco: Identity Services Engine

Cisco

1 product

Identity Services Engine

Configuration A

28 vulnerable

Vulnerable Software	Affected Versions
Cisco Identity Services Engine	Version 3.0.0
Cisco Identity Services Engine	Version 3.0.0 patch1
Cisco Identity Services Engine	Version 3.0.0 patch2
Cisco Identity Services Engine	Version 3.0.0 patch3
Cisco Identity Services Engine	Version 3.0.0 patch4
Cisco Identity Services Engine	Version 3.0.0 patch5
Cisco Identity Services Engine	Version 3.0.0 patch6
Cisco Identity Services Engine	Version 3.0.0 patch7
Cisco Identity Services Engine	Version 3.0.0 patch8
Cisco Identity Services Engine	Version 3.1.0
Cisco Identity Services Engine	Version 3.1.0 patch1
Cisco Identity Services Engine	Version 3.1.0 patch2
Cisco Identity Services Engine	Version 3.1.0 patch3
Cisco Identity Services Engine	Version 3.1.0 patch4
Cisco Identity Services Engine	Version 3.1.0 patch5
Cisco Identity Services Engine	Version 3.1.0 patch6
Cisco Identity Services Engine	Version 3.1.0 patch7
Cisco Identity Services Engine	Version 3.1.0 patch8
Cisco Identity Services Engine	Version 3.2.0
Cisco Identity Services Engine	Version 3.2.0 patch1
Cisco Identity Services Engine	Version 3.2.0 patch2
Cisco Identity Services Engine	Version 3.2.0 patch3
Cisco Identity Services Engine	Version 3.2.0 patch4
Cisco Identity Services Engine	Version 3.2.0 patch5
Cisco Identity Services Engine	Version 3.2.0 patch6
Cisco Identity Services Engine	Version 3.3.0
Cisco Identity Services Engine	Version 3.3.0 patch1
Cisco Identity Services Engine	Version 3.3.0 patch2

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-BBRf7mkE

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.