ID

VAR-201907-0399


CVE

CVE-2019-1941


TITLE

Cisco Identity Services Engine Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-006925

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. At the time of publication, this vulnerability affected Cisco ISE running software releases prior to 2.4.0 Patch 9 and 2.6.0. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvm10275. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. The vulnerability stems from the lack of correct validation of client data in WEB applications

Trust: 1.98

sources: NVD: CVE-2019-1941 // JVNDB: JVNDB-2019-006925 // BID: 109297 // VULHUB: VHN-151853

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:2.4.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.4\(0.902\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.5\(0.225\)

Trust: 1.0

vendor:ciscomodel:identity services enginescope:ltversion:2.4.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:ltversion:2.4.0 patch 9

Trust: 0.8

vendor:ciscomodel:identity services enginescope:ltversion:2.6.0

Trust: 0.8

vendor:ciscomodel:identity services enginescope:eqversion:2.3

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:2.2.11

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:2.210

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.2899-2

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.2899

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.1.4218

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.1.3

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.0.4573-6

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.0.4

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.4(0.902)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.4(0.901.1)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.4(0.901)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.4(0.357)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.4(0.183)

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:2.42

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.4

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.3(0.905)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.3(0.904)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.3(0.298)

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:2.35

Trust: 0.3

vendor:ciscomodel:identity services engine 2.2.0.470-patch5scope: - version: -

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:2.2.02

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.2.0

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.2(0.913)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.2(0.911)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.2(0.910)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.2(0.470)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.2(0.231)

Trust: 0.3

vendor:ciscomodel:identity services engine patch7scope:eqversion:2.1.0

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.1.0

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.1(0.908)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.1(0.907)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.1(0.188)

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:2.15

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.0.1

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.0(0.901)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:2.0

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.4(0.908)

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.47

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.46

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.45

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.44

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.43

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.42

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.41

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.4

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.3(0.876)

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.36

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.35

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.34

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.33

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.32

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.31

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.3

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.2(0.967)

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.29

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.28

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.27

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.26

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.25

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.24

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.23

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.22

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.21

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.2

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.16

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.15

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.14

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.13

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.12

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:eqversion:1.11

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.1

Trust: 0.3

vendor:ciscomodel:identity services engine 1.0.4.mr2scope: - version: -

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.0.4.573

Trust: 0.3

vendor:ciscomodel:identity services engine mrscope:eqversion:1.0

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:1.0

Trust: 0.3

vendor:ciscomodel:identity services enginescope:neversion:2.6

Trust: 0.3

vendor:ciscomodel:identity services engine patchscope:neversion:2.49

Trust: 0.3

sources: BID: 109297 // JVNDB: JVNDB-2019-006925 // NVD: CVE-2019-1941

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1941
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1941
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1941
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201907-1004
value: MEDIUM

Trust: 0.6

VULHUB: VHN-151853
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1941
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-151853
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1941
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-151853 // JVNDB: JVNDB-2019-006925 // CNNVD: CNNVD-201907-1004 // NVD: CVE-2019-1941 // NVD: CVE-2019-1941

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-151853 // JVNDB: JVNDB-2019-006925 // NVD: CVE-2019-1941

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-1004

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201907-1004

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006925

PATCH

title:cisco-sa-20190717-ise-xssurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-ise-xss

Trust: 0.8

title:Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95038

Trust: 0.6

sources: JVNDB: JVNDB-2019-006925 // CNNVD: CNNVD-201907-1004

EXTERNAL IDS

db:NVDid:CVE-2019-1941

Trust: 2.8

db:BIDid:109297

Trust: 2.0

db:JVNDBid:JVNDB-2019-006925

Trust: 0.8

db:CNNVDid:CNNVD-201907-1004

Trust: 0.7

db:AUSCERTid:ESB-2019.2678

Trust: 0.6

db:VULHUBid:VHN-151853

Trust: 0.1

sources: VULHUB: VHN-151853 // BID: 109297 // JVNDB: JVNDB-2019-006925 // CNNVD: CNNVD-201907-1004 // NVD: CVE-2019-1941

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190717-ise-xss

Trust: 2.0

url:http://www.securityfocus.com/bid/109297

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-1941

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1941

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.2678/

Trust: 0.6

sources: VULHUB: VHN-151853 // BID: 109297 // JVNDB: JVNDB-2019-006925 // CNNVD: CNNVD-201907-1004 // NVD: CVE-2019-1941

CREDITS

Cisco

Trust: 0.9

sources: BID: 109297 // CNNVD: CNNVD-201907-1004

SOURCES

db:VULHUBid:VHN-151853
db:BIDid:109297
db:JVNDBid:JVNDB-2019-006925
db:CNNVDid:CNNVD-201907-1004
db:NVDid:CVE-2019-1941

LAST UPDATE DATE

2024-08-14T15:23:04.533000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-151853date:2019-10-09T00:00:00
db:BIDid:109297date:2019-07-17T00:00:00
db:JVNDBid:JVNDB-2019-006925date:2019-07-30T00:00:00
db:CNNVDid:CNNVD-201907-1004date:2019-07-29T00:00:00
db:NVDid:CVE-2019-1941date:2019-10-09T23:48:37.130

SOURCES RELEASE DATE

db:VULHUBid:VHN-151853date:2019-07-17T00:00:00
db:BIDid:109297date:2019-07-17T00:00:00
db:JVNDBid:JVNDB-2019-006925date:2019-07-30T00:00:00
db:CNNVDid:CNNVD-201907-1004date:2019-07-17T00:00:00
db:NVDid:CVE-2019-1941date:2019-07-17T21:15:12.310