Details of VAR-201612-0481

ID

VAR-201612-0481

CVE

CVE-2016-9214

TITLE

Cisco Identity Services Engine Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-006288

DESCRIPTION

Cisco Identity Services Engine (ISE) contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. More Information: CSCvb86332 CSCvb86760. Known Affected Releases: 2.0(101.130). An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvb86332 and CSCvb86760. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. The vulnerability is caused by the program's insufficient detection of parameters entered in the HTTP GET or POST method. A remote attacker could exploit this vulnerability to intercept user packets and inject malicious code

Trust: 1.98

sources: NVD: CVE-2016-9214 // JVNDB: JVNDB-2016-006288 // BID: 94807 // VULHUB: VHN-98034

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine software	scope:	eq	version:	2.0\(1.130\)	Trust: 1.6
vendor:	cisco	model:	identity services engine software	scope:	eq	version:	2.0(101.130)	Trust: 0.8
vendor:	cisco	model:	identity services engine	scope:	eq	version:	0	Trust: 0.3

sources: BID: 94807 // JVNDB: JVNDB-2016-006288 // CNNVD: CNNVD-201612-227 // NVD: CVE-2016-9214

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-9214
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-9214
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201612-227
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-98034
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-9214
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-98034
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-9214
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-98034 // JVNDB: JVNDB-2016-006288 // CNNVD: CNNVD-201612-227 // NVD: CVE-2016-9214

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-98034 // JVNDB: JVNDB-2016-006288 // NVD: CVE-2016-9214

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201612-227

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201612-227

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-006288

PATCH

title:	cisco-sa-20161207-ise1	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ise1	Trust: 0.8
title:	Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66264	Trust: 0.6

sources: JVNDB: JVNDB-2016-006288 // CNNVD: CNNVD-201612-227

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9214	Trust: 2.8
db:	BID	id:	94807	Trust: 1.4
db:	SECTRACK	id:	1037417	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-006288	Trust: 0.8
db:	CNNVD	id:	CNNVD-201612-227	Trust: 0.7
db:	VULHUB	id:	VHN-98034	Trust: 0.1

sources: VULHUB: VHN-98034 // BID: 94807 // JVNDB: JVNDB-2016-006288 // CNNVD: CNNVD-201612-227 // NVD: CVE-2016-9214

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161207-ise1	Trust: 2.0
url:	http://www.securityfocus.com/bid/94807	Trust: 1.1
url:	http://www.securitytracker.com/id/1037417	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9214	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-9214	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-98034 // BID: 94807 // JVNDB: JVNDB-2016-006288 // CNNVD: CNNVD-201612-227 // NVD: CVE-2016-9214

CREDITS

Code injection

Trust: 0.6

sources: CNNVD: CNNVD-201612-227

SOURCES

db:	VULHUB	id:	VHN-98034
db:	BID	id:	94807
db:	JVNDB	id:	JVNDB-2016-006288
db:	CNNVD	id:	CNNVD-201612-227
db:	NVD	id:	CVE-2016-9214

LAST UPDATE DATE

2024-11-23T23:09:06.726000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-98034	date:	2016-12-22T00:00:00
db:	BID	id:	94807	date:	2016-12-20T01:08:00
db:	JVNDB	id:	JVNDB-2016-006288	date:	2016-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201612-227	date:	2016-12-14T00:00:00
db:	NVD	id:	CVE-2016-9214	date:	2024-11-21T03:00:48.700

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-98034	date:	2016-12-14T00:00:00
db:	BID	id:	94807	date:	2016-12-07T00:00:00
db:	JVNDB	id:	JVNDB-2016-006288	date:	2016-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201612-227	date:	2016-12-09T00:00:00
db:	NVD	id:	CVE-2016-9214	date:	2016-12-14T00:59:35.443