ID

VAR-202003-1184


CVE

CVE-2020-3157


TITLE

Cisco Identity Services Engine Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-002427

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by crafting a malicious configuration and saving it to the targeted system. An exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information when an administrator views the configuration. An attacker would need write permissions to exploit this vulnerability successfully. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.71

sources: NVD: CVE-2020-3157 // JVNDB: JVNDB-2020-002427 // VULHUB: VHN-181282

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:lteversion:2.7

Trust: 1.0

vendor:ciscomodel:identity services enginescope: - version: -

Trust: 0.8

vendor:ciscomodel:identity services enginescope:eqversion:2.4.0

Trust: 0.6

vendor:ciscomodel:identity services enginescope:eqversion:2.4.0.357

Trust: 0.6

sources: JVNDB: JVNDB-2020-002427 // CNNVD: CNNVD-202003-170 // NVD: CVE-2020-3157

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3157
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3157
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-002427
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202003-170
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181282
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-3157
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-002427
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181282
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3157
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3157
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-002427
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181282 // JVNDB: JVNDB-2020-002427 // CNNVD: CNNVD-202003-170 // NVD: CVE-2020-3157 // NVD: CVE-2020-3157

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-181282 // JVNDB: JVNDB-2020-002427 // NVD: CVE-2020-3157

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-170

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202003-170

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002427

PATCH

title:cisco-sa-ise-xss-BR7nEDjGurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-BR7nEDjG

Trust: 0.8

title:Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111107

Trust: 0.6

sources: JVNDB: JVNDB-2020-002427 // CNNVD: CNNVD-202003-170

EXTERNAL IDS

db:NVDid:CVE-2020-3157

Trust: 2.5

db:JVNDBid:JVNDB-2020-002427

Trust: 0.8

db:CNNVDid:CNNVD-202003-170

Trust: 0.7

db:AUSCERTid:ESB-2020.0803

Trust: 0.6

db:VULHUBid:VHN-181282

Trust: 0.1

sources: VULHUB: VHN-181282 // JVNDB: JVNDB-2020-002427 // CNNVD: CNNVD-202003-170 // NVD: CVE-2020-3157

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-xss-br7nedjg

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-3157

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3157

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.0803/

Trust: 0.6

sources: VULHUB: VHN-181282 // JVNDB: JVNDB-2020-002427 // CNNVD: CNNVD-202003-170 // NVD: CVE-2020-3157

SOURCES

db:VULHUBid:VHN-181282
db:JVNDBid:JVNDB-2020-002427
db:CNNVDid:CNNVD-202003-170
db:NVDid:CVE-2020-3157

LAST UPDATE DATE

2024-08-14T15:28:15.003000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181282date:2020-03-05T00:00:00
db:JVNDBid:JVNDB-2020-002427date:2020-03-16T00:00:00
db:CNNVDid:CNNVD-202003-170date:2020-03-13T00:00:00
db:NVDid:CVE-2020-3157date:2020-03-05T16:34:46.947

SOURCES RELEASE DATE

db:VULHUBid:VHN-181282date:2020-03-04T00:00:00
db:JVNDBid:JVNDB-2020-002427date:2020-03-16T00:00:00
db:CNNVDid:CNNVD-202003-170date:2020-03-04T00:00:00
db:NVDid:CVE-2020-3157date:2020-03-04T19:15:12.837