Sign-up

ID

VAR-201507-0548


CVE

CVE-2015-4266


TITLE

Cisco Identity Services Engine of Web Click-jacking attack vulnerability in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2015-003850

DESCRIPTION

The web interface in Cisco Identity Services Engine (ISE) 1.1(4.1), 1.3(106.146), and 1.3(120.135) does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCut04556. In this case, " Cross frame scripting (XFS)" Vulnerability related to the problem. Cisco Identity Services Engine Software is prone to a cross-frame scripting vulnerability. Successful exploits will allow attackers to bypass the same-origin policy and perform unauthorized actions; other attacks are possible. This issue is being tracked by Cisco Bug ID CSCut04556. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. Cisco ISE versions 1.1(4.1), 1.3(106.146), and 1.3(120.135) have a security vulnerability in the web interface

Trust: 1.98

sources: NVD: CVE-2015-4266 // JVNDB: JVNDB-2015-003850 // BID: 75937 // VULHUB: VHN-82227

AFFECTED PRODUCTS

vendor:ciscomodel:identity services engine softwarescope:eqversion:1.3\(120.135\)

Trust: 1.6

vendor:ciscomodel:identity services engine softwarescope:eqversion:1.1\(4.1\)

Trust: 1.6

vendor:ciscomodel:identity services engine softwarescope:eqversion:1.3\(106.146\)

Trust: 1.6

vendor:ciscomodel:identity services engine softwarescope:eqversion:1.3(120.135)

Trust: 1.1

vendor:ciscomodel:identity services engine softwarescope:eqversion:1.3(106.146)

Trust: 1.1

vendor:ciscomodel:identity services enginescope: - version: -

Trust: 0.8

vendor:ciscomodel:identity services engine softwarescope:eqversion:1.1(4.1)

Trust: 0.8

vendor:ciscomodel:identity services engine software patchscope:eqversion:1.1.41

Trust: 0.3

sources: BID: 75937 // JVNDB: JVNDB-2015-003850 // CNNVD: CNNVD-201507-631 // NVD: CVE-2015-4266

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-4266
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-4266
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201507-631
value: MEDIUM

Trust: 0.6

VULHUB: VHN-82227
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-4266
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-82227
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-82227 // JVNDB: JVNDB-2015-003850 // CNNVD: CNNVD-201507-631 // NVD: CVE-2015-4266

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-82227 // JVNDB: JVNDB-2015-003850 // NVD: CVE-2015-4266

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-631

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201507-631

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003850

PATCH
title:39871url:http://tools.cisco.com/security/center/viewAlert.x?alertId=39871
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-003850

EXTERNAL IDS
db:NVDid:CVE-2015-4266
Trust: 2.8
db:SECTRACKid:1032930
Trust: 1.1
db:JVNDBid:JVNDB-2015-003850
Trust: 0.8
db:CNNVDid:CNNVD-201507-631
Trust: 0.7
db:BIDid:75937
Trust: 0.4
db:VULHUBid:VHN-82227
Trust: 0.1
sources:
            
            
            VULHUB: VHN-82227 // 
            
            
            
            BID: 75937 // 
            
            
            
            JVNDB: JVNDB-2015-003850 // 
            
            
            
            CNNVD: CNNVD-201507-631 // 
            
            
            
            NVD: CVE-2015-4266

REFERENCES
url:http://tools.cisco.com/security/center/viewalert.x?alertid=39871
Trust: 2.0
url:http://www.securitytracker.com/id/1032930
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4266
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4266
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:http://www.cisco.com/en/us/products/ps11640/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-82227 // 
            
            
            
            BID: 75937 // 
            
            
            
            JVNDB: JVNDB-2015-003850 // 
            
            
            
            CNNVD: CNNVD-201507-631 // 
            
            
            
            NVD: CVE-2015-4266

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 75937

SOURCES
db:VULHUBid:VHN-82227
db:BIDid:75937
db:JVNDBid:JVNDB-2015-003850
db:CNNVDid:CNNVD-201507-631
db:NVDid:CVE-2015-4266

LAST UPDATE DATE
2024-11-23T22:31:07.795000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-82227date:2017-09-22T00:00:00
db:BIDid:75937date:2015-07-14T00:00:00
db:JVNDBid:JVNDB-2015-003850date:2015-07-22T00:00:00
db:CNNVDid:CNNVD-201507-631date:2015-07-23T00:00:00
db:NVDid:CVE-2015-4266date:2024-11-21T02:30:44.013

SOURCES RELEASE DATE
db:VULHUBid:VHN-82227date:2015-07-16T00:00:00
db:BIDid:75937date:2015-07-14T00:00:00
db:JVNDBid:JVNDB-2015-003850date:2015-07-22T00:00:00
db:CNNVDid:CNNVD-201507-631date:2015-07-17T00:00:00
db:NVDid:CVE-2015-4266date:2015-07-16T19:59:00.083