CVE-2015-4268

Multiple cross-site scripting (XSS) vulnerabilities in the Infra Admin UI in Cisco Identity Services Engine (ISE) 1.2(1.198) and 1.3(0.876) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in a (1) GET or (2) POST request, aka Bug ID CSCus16052.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://tools.cisco.com/security/center/viewAlert.x?alertId=39873	Vendor Advisory
http://www.securitytracker.com/id/1032889	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:identity_services_engine_software:1.2\(1.198\):::::::*
	cpe:2.3:a:cisco:identity_services_engine_software:1.3\(0.876\):::::::*

History

No history.

Information

Published : 2015-07-14 17:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-4268

Mitre link : CVE-2015-4268

CVE.ORG link : CVE-2015-4268

JSON object : View

Products Affected

cisco

identity_services_engine_software

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2015-4268", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2015-07-14T17:59:04.290", "references": [{"url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=39873", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}, {"url": "http://www.securitytracker.com/id/1032889", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the Infra Admin UI in Cisco Identity Services Engine (ISE) 1.2(1.198) and 1.3(0.876) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in a (1) GET or (2) POST request, aka Bug ID CSCus16052."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XXS) en la infraestructura administrativa UI en Cisco Identity Services Engine (ISE) 1.2(1.198) y 1.3(0.876), permite a atacantes remotos inyectar arbitrariamente secuencias de comandos web o HTML a trav\u00e9s de par\u00e1metros no especificados en los m\u00e9todos GET o petici\u00f3n POST, error conocido como Bug ID CSCus16052."}], "lastModified": "2016-12-28T16:53:47.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:1.2\\(1.198\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4448DC8-E3DE-4D1D-870A-F399B2CAAD7D"}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:1.3\\(0.876\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F0C8A13-77BB-4D48-99C1-6C16D6A13FA5"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}