ID

VAR-201901-0587


CVE

CVE-2018-15455


TITLE

Cisco Identity Services Engine Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-013679

DESCRIPTION

A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of requests stored in the system's logging database. An attacker could exploit this vulnerability by sending malicious requests to the targeted system. An exploit could allow the attacker to conduct cross-site scripting attacks when an administrator views the logs in the Admin Portal. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvm62862. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.98

sources: NVD: CVE-2018-15455 // JVNDB: JVNDB-2018-013679 // BID: 106708 // VULHUB: VHN-125716

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:2.3\(0.905\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.4\(0.903\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.2\(0.910\)

Trust: 1.0

vendor:ciscomodel:identity services engine softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:identity services enginescope:eqversion:2.4(0.903)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.3(0.905)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.2(0.910)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:neversion:2.2(0.913)

Trust: 0.3

sources: BID: 106708 // JVNDB: JVNDB-2018-013679 // NVD: CVE-2018-15455

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15455
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2018-15455
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-15455
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201901-847
value: MEDIUM

Trust: 0.6

VULHUB: VHN-125716
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-15455
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125716
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15455
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-125716 // JVNDB: JVNDB-2018-013679 // CNNVD: CNNVD-201901-847 // NVD: CVE-2018-15455 // NVD: CVE-2018-15455

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-125716 // JVNDB: JVNDB-2018-013679 // NVD: CVE-2018-15455

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-847

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201901-847

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013679

PATCH

title:cisco-sa-20190123-isel-xssurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-isel-xss

Trust: 0.8

title:Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88929

Trust: 0.6

sources: JVNDB: JVNDB-2018-013679 // CNNVD: CNNVD-201901-847

EXTERNAL IDS

db:NVDid:CVE-2018-15455

Trust: 2.8

db:BIDid:106708

Trust: 2.0

db:JVNDBid:JVNDB-2018-013679

Trust: 0.8

db:CNNVDid:CNNVD-201901-847

Trust: 0.7

db:NSFOCUSid:43897

Trust: 0.6

db:VULHUBid:VHN-125716

Trust: 0.1

sources: VULHUB: VHN-125716 // BID: 106708 // JVNDB: JVNDB-2018-013679 // CNNVD: CNNVD-201901-847 // NVD: CVE-2018-15455

REFERENCES

url:http://www.securityfocus.com/bid/106708

Trust: 2.3

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190123-isel-xss

Trust: 2.0

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15455

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-15455

Trust: 0.8

url:http://www.nsfocus.net/vulndb/43897

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

sources: VULHUB: VHN-125716 // BID: 106708 // JVNDB: JVNDB-2018-013679 // CNNVD: CNNVD-201901-847 // NVD: CVE-2018-15455

CREDITS

This vulnerability was found during internal security testing.,Cisco

Trust: 0.6

sources: CNNVD: CNNVD-201901-847

SOURCES

db:VULHUBid:VHN-125716
db:BIDid:106708
db:JVNDBid:JVNDB-2018-013679
db:CNNVDid:CNNVD-201901-847
db:NVDid:CVE-2018-15455

LAST UPDATE DATE

2024-11-23T22:51:52.915000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-125716date:2019-10-09T00:00:00
db:BIDid:106708date:2019-01-23T00:00:00
db:JVNDBid:JVNDB-2018-013679date:2019-02-28T00:00:00
db:CNNVDid:CNNVD-201901-847date:2019-10-17T00:00:00
db:NVDid:CVE-2018-15455date:2024-11-21T03:50:50.500

SOURCES RELEASE DATE

db:VULHUBid:VHN-125716date:2019-01-23T00:00:00
db:BIDid:106708date:2019-01-23T00:00:00
db:JVNDBid:JVNDB-2018-013679date:2019-02-28T00:00:00
db:CNNVDid:CNNVD-201901-847date:2019-01-24T00:00:00
db:NVDid:CVE-2018-15455date:2019-01-23T22:29:00.400