Details of VAR-201707-0911

ID

VAR-201707-0911

CVE

CVE-2017-6701

TITLE

Cisco ISE Portal Web Application interface storage-type cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-005311

DESCRIPTION

A vulnerability in the web application interface of the Cisco Identity Services Engine (ISE) portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvd49141. Known Affected Releases: 2.1(102.101). Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCvd49141. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. The vulnerability stems from the program's insufficient filtering of user-submitted data

Trust: 1.98

sources: NVD: CVE-2017-6701 // JVNDB: JVNDB-2017-005311 // BID: 99208 // VULHUB: VHN-114904

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.1\(102.101\)	Trust: 1.6
vendor:	cisco	model:	identity services engine software	scope:	eq	version:	2.1(102.101)	Trust: 0.8
vendor:	cisco	model:	identity services engine series appliances	scope:	eq	version:	33002.1(102.101)	Trust: 0.3
vendor:	cisco	model:	identity services engine	scope:	eq	version:	0	Trust: 0.3

sources: BID: 99208 // JVNDB: JVNDB-2017-005311 // CNNVD: CNNVD-201706-1010 // NVD: CVE-2017-6701

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6701
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6701
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201706-1010
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114904
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6701
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-114904
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6701
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-114904 // JVNDB: JVNDB-2017-005311 // CNNVD: CNNVD-201706-1010 // NVD: CVE-2017-6701

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-114904 // JVNDB: JVNDB-2017-005311 // NVD: CVE-2017-6701

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-1010

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201706-1010

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-005311

PATCH

title:	cisco-sa-20170621-ise	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-ise	Trust: 0.8
title:	Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71273	Trust: 0.6

sources: JVNDB: JVNDB-2017-005311 // CNNVD: CNNVD-201706-1010

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6701	Trust: 2.8
db:	BID	id:	99208	Trust: 2.0
db:	SECTRACK	id:	1038740	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-005311	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-1010	Trust: 0.7
db:	NSFOCUS	id:	36956	Trust: 0.6
db:	VULHUB	id:	VHN-114904	Trust: 0.1

sources: VULHUB: VHN-114904 // BID: 99208 // JVNDB: JVNDB-2017-005311 // CNNVD: CNNVD-201706-1010 // NVD: CVE-2017-6701

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170621-ise	Trust: 2.0
url:	http://www.securityfocus.com/bid/99208	Trust: 1.7
url:	http://www.securitytracker.com/id/1038740	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6701	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6701	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/36956	Trust: 0.6
url:	http://www.cisco.com	Trust: 0.3

sources: VULHUB: VHN-114904 // BID: 99208 // JVNDB: JVNDB-2017-005311 // CNNVD: CNNVD-201706-1010 // NVD: CVE-2017-6701

CREDITS

Steve Park, Security Consultant, NCC Group and Christian Chung, Security Consultant, NCC Group

Trust: 0.9

sources: BID: 99208 // CNNVD: CNNVD-201706-1010

SOURCES

db:	VULHUB	id:	VHN-114904
db:	BID	id:	99208
db:	JVNDB	id:	JVNDB-2017-005311
db:	CNNVD	id:	CNNVD-201706-1010
db:	NVD	id:	CVE-2017-6701

LAST UPDATE DATE

2024-11-23T22:12:57.781000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114904	date:	2017-07-07T00:00:00
db:	BID	id:	99208	date:	2017-06-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-005311	date:	2017-07-26T00:00:00
db:	CNNVD	id:	CNNVD-201706-1010	date:	2017-07-04T00:00:00
db:	NVD	id:	CVE-2017-6701	date:	2024-11-21T03:30:20.223

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114904	date:	2017-07-04T00:00:00
db:	BID	id:	99208	date:	2017-06-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-005311	date:	2017-07-26T00:00:00
db:	CNNVD	id:	CNNVD-201706-1010	date:	2017-06-29T00:00:00
db:	NVD	id:	CVE-2017-6701	date:	2017-07-04T00:29:00.337