Details of VAR-202002-0718

ID

VAR-202002-0718

CVE

CVE-2020-3156

TITLE

Cisco Identity Services Engine Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-002134

DESCRIPTION

A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of endpoint data stored in logs used by the web-based interface. An attacker could exploit this vulnerability by sending malicious endpoint data to the targeted system. An exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.71

sources: NVD: CVE-2020-3156 // JVNDB: JVNDB-2020-002134 // VULHUB: VHN-181281

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.6.0	Trust: 1.6
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7	Trust: 1.6
vendor:	cisco	model:	identity services engine software	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959 // NVD: CVE-2020-3156

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3156
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3156
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-002134
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202002-959
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-181281
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3156
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-002134
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-181281
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3156
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0
NVD:	JVNDB-2020-002134
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-181281 // JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959 // NVD: CVE-2020-3156 // NVD: CVE-2020-3156

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-181281 // JVNDB: JVNDB-2020-002134 // NVD: CVE-2020-3156

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-959

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202002-959

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002134

PATCH

title:	cisco-sa-ise-xss-s3ekcKch	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-s3ekcKch	Trust: 0.8
title:	Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110025	Trust: 0.6

sources: JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3156	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-002134	Trust: 0.8
db:	CNNVD	id:	CNNVD-202002-959	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.0607	Trust: 0.6
db:	VULHUB	id:	VHN-181281	Trust: 0.1

sources: VULHUB: VHN-181281 // JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959 // NVD: CVE-2020-3156

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-xss-s3ekckch	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3156	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3156	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.0607/	Trust: 0.6

sources: VULHUB: VHN-181281 // JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959 // NVD: CVE-2020-3156

SOURCES

db:	VULHUB	id:	VHN-181281
db:	JVNDB	id:	JVNDB-2020-002134
db:	CNNVD	id:	CNNVD-202002-959
db:	NVD	id:	CVE-2020-3156

LAST UPDATE DATE

2024-08-14T14:19:06.129000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181281	date:	2020-02-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-002134	date:	2020-03-04T00:00:00
db:	CNNVD	id:	CNNVD-202002-959	date:	2020-02-25T00:00:00
db:	NVD	id:	CVE-2020-3156	date:	2023-11-07T03:22:34.543

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181281	date:	2020-02-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-002134	date:	2020-03-04T00:00:00
db:	CNNVD	id:	CNNVD-202002-959	date:	2020-02-19T00:00:00
db:	NVD	id:	CVE-2020-3156	date:	2020-02-19T20:15:15.300