ID

VAR-202211-1003


CVE

CVE-2022-20966


TITLE

Cisco Identity Services Engine  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-006003

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks. Cisco has not yet released software updates that address this vulnerability. For more information about these vulnerabilities, see the Details section of this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

Trust: 1.8

sources: NVD: CVE-2022-20966 // JVNDB: JVNDB-2022-006003 // VULHUB: VHN-405519 // VULMON: CVE-2022-20966

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:ltversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.2

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.0.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.7.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.1

Trust: 1.0

vendor:シスコシステムズmodel:cisco identity services enginescope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco identity services enginescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-006003 // NVD: CVE-2022-20966

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20966
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20966
value: MEDIUM

Trust: 1.0

OTHER: JVNDB-2022-006003
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202211-2960
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-20966
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 2.0

OTHER: JVNDB-2022-006003
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-006003 // CNNVD: CNNVD-202211-2960 // NVD: CVE-2022-20966 // NVD: CVE-2022-20966

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405519 // JVNDB: JVNDB-2022-006003 // NVD: CVE-2022-20966

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-2960

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202211-2960

PATCH

title:cisco-sa-ise-7Q4TNYUxurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

Trust: 0.8

title:Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=222193

Trust: 0.6

title:Cisco: Cisco Identity Services Engine Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-7Q4TNYUx

Trust: 0.1

sources: VULMON: CVE-2022-20966 // JVNDB: JVNDB-2022-006003 // CNNVD: CNNVD-202211-2960

EXTERNAL IDS

db:NVDid:CVE-2022-20966

Trust: 3.4

db:JVNDBid:JVNDB-2022-006003

Trust: 0.8

db:AUSCERTid:ESB-2022.5984.4

Trust: 0.6

db:AUSCERTid:ESB-2022.5984.2

Trust: 0.6

db:CNNVDid:CNNVD-202211-2960

Trust: 0.6

db:VULHUBid:VHN-405519

Trust: 0.1

db:VULMONid:CVE-2022-20966

Trust: 0.1

sources: VULHUB: VHN-405519 // VULMON: CVE-2022-20966 // JVNDB: JVNDB-2022-006003 // CNNVD: CNNVD-202211-2960 // NVD: CVE-2022-20966

REFERENCES

url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-20966

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux

Trust: 0.7

url:https://www.auscert.org.au/bulletins/esb-2022.5984.2

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-20966/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5984.4

Trust: 0.6

sources: VULHUB: VHN-405519 // VULMON: CVE-2022-20966 // JVNDB: JVNDB-2022-006003 // CNNVD: CNNVD-202211-2960 // NVD: CVE-2022-20966

SOURCES

db:VULHUBid:VHN-405519
db:VULMONid:CVE-2022-20966
db:JVNDBid:JVNDB-2022-006003
db:CNNVDid:CNNVD-202211-2960
db:NVDid:CVE-2022-20966

LAST UPDATE DATE

2024-08-14T13:21:31.056000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405519date:2023-01-26T00:00:00
db:JVNDBid:JVNDB-2022-006003date:2023-06-23T08:15:00
db:CNNVDid:CNNVD-202211-2960date:2023-01-28T00:00:00
db:NVDid:CVE-2022-20966date:2024-01-25T17:15:23.243

SOURCES RELEASE DATE

db:VULHUBid:VHN-405519date:2023-01-20T00:00:00
db:JVNDBid:JVNDB-2022-006003date:2023-06-23T00:00:00
db:CNNVDid:CNNVD-202211-2960date:2022-11-16T00:00:00
db:NVDid:CVE-2022-20966date:2023-01-20T07:15:11.377