Indian - Computer Emergency Response Team (cert-in.org.in)

Severity Rating: MEDIUM

Component Affected

Cisco Identity Services Engine (ISE)

Overview

Multiple Vulnerabilities have been reported in web-based management interface of Cisco Identity Services Engine (ISE) which could allow a remote attacker to make unauthorized changes to the file system and conduct a cross-site scripting (XSS) attack on the targeted System.

Description

1. Path Traversal Vulnerability ( CVE-2022-20962   )

This vulnerability exists in Localdisk Management feature of Cisco Identity Services Engine (ISE) due to insufficient input validation. A remote attacker could exploit this vulnerability by sending a crafted HTTP request with absolute path sequences.

Successful exploitation of this vulnerability could allow a remote attacker to upload malicious files to arbitrary locations within the file system and execute commands with system privileges.

2. Cross-Site Scripting Vulnerability ( CVE-2022-20963   )

This Vulnerability exists in web-based management interface of Cisco Identity Services Engine (ISE) due to insufficient validation of user-supplied input by the web-based management interface. A remote attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface.

Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Solution

Apply appropriate updates as mentioned in:

Vendor Information

CISCO

References

CISCO

CVE Name

CVE-2022-20962

CVE-2022-20963