Details of VAR-202110-0583

ID

VAR-202110-0583

CVE

CVE-2021-34738

TITLE

Cisco Identity Services Engine Cross-site scripting vulnerability in software

Trust: 0.8

sources: JVNDB: JVNDB-2021-014093

DESCRIPTION

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. An attacker can exploit this vulnerability by injecting malicious code into specific pages of the interface. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code within the UI context, or access sensitive browser-based information. To exploit this vulnerability, an attacker would need valid administrative credentials

Trust: 1.8

sources: NVD: CVE-2021-34738 // JVNDB: JVNDB-2021-014093 // VULHUB: VHN-394980 // VULMON: CVE-2021-34738

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	lt	version:	2.6.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7\(0.356\)	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7\(0.903\)	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.0.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.6.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.0\(0.458\)	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7\(0.207\)	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-014093 // NVD: CVE-2021-34738

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-34738
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-34738
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-34738
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202110-1504
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-394980
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-34738
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-394980
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-34738
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0
NVD:	CVE-2021-34738
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-394980 // JVNDB: JVNDB-2021-014093 // CNNVD: CNNVD-202110-1504 // NVD: CVE-2021-34738 // NVD: CVE-2021-34738

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-394980 // JVNDB: JVNDB-2021-014093 // NVD: CVE-2021-34738

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1504

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202110-1504

PATCH

title:	cisco-sa-ise-xss1-rgxYry2V	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss1-rgxYry2V	Trust: 0.8
title:	Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=166672	Trust: 0.6
title:	Cisco: Cisco Identity Services Engine Cross-Site Scripting Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-xss1-rgxYry2V	Trust: 0.1

sources: VULMON: CVE-2021-34738 // JVNDB: JVNDB-2021-014093 // CNNVD: CNNVD-202110-1504

EXTERNAL IDS

db:	NVD	id:	CVE-2021-34738	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-014093	Trust: 0.8
db:	CNNVD	id:	CNNVD-202110-1504	Trust: 0.7
db:	CS-HELP	id:	SB2021102132	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3502	Trust: 0.6
db:	VULHUB	id:	VHN-394980	Trust: 0.1
db:	VULMON	id:	CVE-2021-34738	Trust: 0.1

sources: VULHUB: VHN-394980 // VULMON: CVE-2021-34738 // JVNDB: JVNDB-2021-014093 // CNNVD: CNNVD-202110-1504 // NVD: CVE-2021-34738

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-xss1-rgxyry2v	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-34738	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2021102132	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3502	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-394980 // VULMON: CVE-2021-34738 // JVNDB: JVNDB-2021-014093 // CNNVD: CNNVD-202110-1504 // NVD: CVE-2021-34738

SOURCES

db:	VULHUB	id:	VHN-394980
db:	VULMON	id:	CVE-2021-34738
db:	JVNDB	id:	JVNDB-2021-014093
db:	CNNVD	id:	CNNVD-202110-1504
db:	NVD	id:	CVE-2021-34738

LAST UPDATE DATE

2024-08-14T14:03:03.211000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-394980	date:	2021-10-26T00:00:00
db:	VULMON	id:	CVE-2021-34738	date:	2021-10-21T00:00:00
db:	JVNDB	id:	JVNDB-2021-014093	date:	2022-10-05T00:55:00
db:	CNNVD	id:	CNNVD-202110-1504	date:	2021-11-02T00:00:00
db:	NVD	id:	CVE-2021-34738	date:	2023-11-07T03:36:15.633

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-394980	date:	2021-10-21T00:00:00
db:	VULMON	id:	CVE-2021-34738	date:	2021-10-21T00:00:00
db:	JVNDB	id:	JVNDB-2021-014093	date:	2022-10-05T00:00:00
db:	CNNVD	id:	CNNVD-202110-1504	date:	2021-10-20T00:00:00
db:	NVD	id:	CVE-2021-34738	date:	2021-10-21T03:15:06.940