Details of VAR-201310-0506

ID

VAR-201310-0506

CVE

CVE-2013-5523

TITLE

Cisco Identity Services Engine of Sponsor Portal Vulnerable to a clickjacking attack

Trust: 0.8

sources: JVNDB: JVNDB-2013-004596

DESCRIPTION

The Sponsor Portal in Cisco Identity Services Engine (ISE) 1.2 and earlier does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCui82666. This case " Cross frame scripting (XFS)" Vulnerability related to the problem. Vendors have confirmed this vulnerability Bug ID CSCui82666 It is released as.Skillfully crafted by a third party Web There is a possibility of unspecified attacks such as a clickjacking attack being performed through the site. Cisco Identity Services Engine is prone to a cross-frame scripting vulnerability. Successful exploits will allow attackers to bypass the same-origin policy and perform unauthorized actions; other attacks are possible. This issue is being tracked by Cisco Bug ID CSCui82666. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. A cross-frame vulnerability exists in Sponsor Portal in Cisco ISE 1.2 and earlier versions. The vulnerability is caused by the program not properly restricting the use of IFRAME elements. A remote attacker could exploit this vulnerability via a specially crafted website to carry out a clickjacking attack

Trust: 1.98

sources: NVD: CVE-2013-5523 // JVNDB: JVNDB-2013-004596 // BID: 62869 // VULHUB: VHN-65525

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine software	scope:	lte	version:	1.2	Trust: 1.8
vendor:	cisco	model:	identity services engine software	scope:	eq	version:	1.1	Trust: 1.6
vendor:	cisco	model:	identity services engine software	scope:	eq	version:	1.0	Trust: 1.6
vendor:	cisco	model:	identity services engine software	scope:	eq	version:	1.2	Trust: 0.6

sources: JVNDB: JVNDB-2013-004596 // CNNVD: CNNVD-201310-147 // NVD: CVE-2013-5523

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5523
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-5523
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201310-147
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-65525
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-5523
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-65525
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-65525 // JVNDB: JVNDB-2013-004596 // CNNVD: CNNVD-201310-147 // NVD: CVE-2013-5523

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-65525 // JVNDB: JVNDB-2013-004596 // NVD: CVE-2013-5523

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201310-147

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201310-147

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004596

PATCH

title:	Cisco Identity Services Engine Sponsor Portal Cross-Frame Scripting Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5523	Trust: 0.8
title:	31161	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=31161	Trust: 0.8

sources: JVNDB: JVNDB-2013-004596

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5523	Trust: 2.8
db:	BID	id:	62869	Trust: 1.4
db:	OSVDB	id:	98168	Trust: 1.1
db:	SECUNIA	id:	55207	Trust: 1.1
db:	SECTRACK	id:	1029157	Trust: 1.1
db:	JVNDB	id:	JVNDB-2013-004596	Trust: 0.8
db:	CNNVD	id:	CNNVD-201310-147	Trust: 0.7
db:	CISCO	id:	20131007 CISCO IDENTITY SERVICES ENGINE SPONSOR PORTAL CROSS-FRAME SCRIPTING VULNERABILITY	Trust: 0.6
db:	VULHUB	id:	VHN-65525	Trust: 0.1

sources: VULHUB: VHN-65525 // BID: 62869 // JVNDB: JVNDB-2013-004596 // CNNVD: CNNVD-201310-147 // NVD: CVE-2013-5523

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-5523	Trust: 1.7
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=31161	Trust: 1.7
url:	http://www.securityfocus.com/bid/62869	Trust: 1.1
url:	http://osvdb.org/98168	Trust: 1.1
url:	http://www.securitytracker.com/id/1029157	Trust: 1.1
url:	http://secunia.com/advisories/55207	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/87724	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5523	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5523	Trust: 0.8

sources: VULHUB: VHN-65525 // JVNDB: JVNDB-2013-004596 // CNNVD: CNNVD-201310-147 // NVD: CVE-2013-5523

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 62869

SOURCES

db:	VULHUB	id:	VHN-65525
db:	BID	id:	62869
db:	JVNDB	id:	JVNDB-2013-004596
db:	CNNVD	id:	CNNVD-201310-147
db:	NVD	id:	CVE-2013-5523

LAST UPDATE DATE

2024-11-23T22:59:46.400000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-65525	date:	2017-08-29T00:00:00
db:	BID	id:	62869	date:	2013-10-10T06:33:00
db:	JVNDB	id:	JVNDB-2013-004596	date:	2013-10-11T00:00:00
db:	CNNVD	id:	CNNVD-201310-147	date:	2013-10-11T00:00:00
db:	NVD	id:	CVE-2013-5523	date:	2024-11-21T01:57:38.150

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-65525	date:	2013-10-10T00:00:00
db:	BID	id:	62869	date:	2013-10-07T00:00:00
db:	JVNDB	id:	JVNDB-2013-004596	date:	2013-10-11T00:00:00
db:	CNNVD	id:	CNNVD-201310-147	date:	2013-10-11T00:00:00
db:	NVD	id:	CVE-2013-5523	date:	2013-10-10T10:55:06.583