ID

VAR-202002-0718


CVE

CVE-2020-3156


TITLE

Cisco Identity Services Engine Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-002134

DESCRIPTION

A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of endpoint data stored in logs used by the web-based interface. An attacker could exploit this vulnerability by sending malicious endpoint data to the targeted system. An exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.71

sources: NVD: CVE-2020-3156 // JVNDB: JVNDB-2020-002134 // VULHUB: VHN-181281

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:2.6.0

Trust: 1.6

vendor:ciscomodel:identity services enginescope:eqversion:2.7

Trust: 1.6

vendor:ciscomodel:identity services engine softwarescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959 // NVD: CVE-2020-3156

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3156
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3156
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-002134
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202002-959
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181281
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-3156
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-002134
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181281
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3156
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 2.0

NVD: JVNDB-2020-002134
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181281 // JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959 // NVD: CVE-2020-3156 // NVD: CVE-2020-3156

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-181281 // JVNDB: JVNDB-2020-002134 // NVD: CVE-2020-3156

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-959

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202002-959

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002134

PATCH

title:cisco-sa-ise-xss-s3ekcKchurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-s3ekcKch

Trust: 0.8

title:Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110025

Trust: 0.6

sources: JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959

EXTERNAL IDS

db:NVDid:CVE-2020-3156

Trust: 2.5

db:JVNDBid:JVNDB-2020-002134

Trust: 0.8

db:CNNVDid:CNNVD-202002-959

Trust: 0.7

db:AUSCERTid:ESB-2020.0607

Trust: 0.6

db:VULHUBid:VHN-181281

Trust: 0.1

sources: VULHUB: VHN-181281 // JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959 // NVD: CVE-2020-3156

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-xss-s3ekckch

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-3156

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3156

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.0607/

Trust: 0.6

sources: VULHUB: VHN-181281 // JVNDB: JVNDB-2020-002134 // CNNVD: CNNVD-202002-959 // NVD: CVE-2020-3156

SOURCES

db:VULHUBid:VHN-181281
db:JVNDBid:JVNDB-2020-002134
db:CNNVDid:CNNVD-202002-959
db:NVDid:CVE-2020-3156

LAST UPDATE DATE

2024-08-14T14:19:06.129000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181281date:2020-02-24T00:00:00
db:JVNDBid:JVNDB-2020-002134date:2020-03-04T00:00:00
db:CNNVDid:CNNVD-202002-959date:2020-02-25T00:00:00
db:NVDid:CVE-2020-3156date:2023-11-07T03:22:34.543

SOURCES RELEASE DATE

db:VULHUBid:VHN-181281date:2020-02-19T00:00:00
db:JVNDBid:JVNDB-2020-002134date:2020-03-04T00:00:00
db:CNNVDid:CNNVD-202002-959date:2020-02-19T00:00:00
db:NVDid:CVE-2020-3156date:2020-02-19T20:15:15.300