{"containers": {"cna": {"affected": [{"product": "Cisco Identity Services Engine Software", "vendor": "Cisco", "versions": [{"lessThan": "n/a", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2019-10-16T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The attacker must have valid administrator credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a troubleshooting file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-10-16T18:36:46", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20191016 Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-ise-xss"}], "source": {"advisory": "cisco-sa-20191016-ise-xss", "defect": [["CSCvq52317"]], "discovery": "INTERNAL"}, "title": "Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2019-10-16T16:00:00-0700", "ID": "CVE-2019-15281", "STATE": "PUBLIC", "TITLE": "Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco Identity Services Engine Software", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The attacker must have valid administrator credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a troubleshooting file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "impact": {"cvss": {"baseScore": "4.8", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "20191016 Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-ise-xss"}]}, "source": {"advisory": "cisco-sa-20191016-ise-xss", "defect": [["CSCvq52317"]], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:42:03.696Z"}, "title": "CVE Program Container", "references": [{"name": "20191016 Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-ise-xss"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2019-15281", "datePublished": "2019-10-16T18:36:46.102217Z", "dateReserved": "2019-08-20T00:00:00", "dateUpdated": "2024-09-16T19:41:58.348Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:*:*:*:*:*:*:*:*", "matchCriteriaId": "ECC9CF6C-838C-4C7F-8944-4F0736875207", "versionEndExcluding": "2.4\\(0.357\\)", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):-:*:*:*:*:*:*", "matchCriteriaId": "530BF3D8-E256-4ADB-B0CB-6970885D65AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch1:*:*:*:*:*:*", "matchCriteriaId": "B2FC1F25-BFCE-4EDF-A663-F9A3DB2CBB30", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch2:*:*:*:*:*:*", "matchCriteriaId": "22165A20-D544-4C98-9A6A-5FC0E635668B", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch3:*:*:*:*:*:*", "matchCriteriaId": "0059B8B5-5168-4A16-93EA-C959AADF6929", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch4:*:*:*:*:*:*", "matchCriteriaId": "094F2C84-FF31-4C16-928B-8B55057125F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch5:*:*:*:*:*:*", "matchCriteriaId": "573A629A-0747-4146-955A-AE3198A33103", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch6:*:*:*:*:*:*", "matchCriteriaId": "A2AA30CC-A4D1-477D-9AD5-BFD2C1A91C02", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch7:*:*:*:*:*:*", "matchCriteriaId": "E4EF10D4-BA24-46F8-9FFD-95DDFBFEB919", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch8:*:*:*:*:*:*", "matchCriteriaId": "71BBA48D-FCDC-4096-AF12-981F17E28815", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine_software:2.4\\(0.357\\):patch9:*:*:*:*:*:*", "matchCriteriaId": "26F5B643-6971-40D7-BF81-81CC3FE6A16D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The attacker must have valid administrator credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a troubleshooting file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Cisco Identity Services Engine (ISE) Software, podr\u00eda permitir a un atacante remoto autenticado conducir un ataque de tipo cross-site scripting (XSS) almacenado contra un usuario de la interfaz de administraci\u00f3n basada en web de un dispositivo afectado. El atacante debe tener credenciales de administrador v\u00e1lidas. La vulnerabilidad es debido a una comprobaci\u00f3n insuficiente de la entrada suministrada por el usuario mediante la interfaz de administraci\u00f3n basada en web del software afectado. Un atacante podr\u00eda explotar esta vulnerabilidad al inyectar c\u00f3digo malicioso en un archivo de soluci\u00f3n de problemas. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar c\u00f3digo de script arbitrario en el contexto de la interfaz afectada o acceder a informaci\u00f3n confidencial basada en navegador."}], "id": "CVE-2019-15281", "lastModified": "2019-10-22T13:18:24.467", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "ykramarz@cisco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-16T19:15:15.347", "references": [{"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-ise-xss"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}

{}