Guest

Preview Tool

Cisco Bug: CSCus16052 - XSS found in ISE admin pages (Infra)

Last Modified

Jun 10, 2016

Products (1)

  • Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

1.2(1.198) 1.3(0.876) 1.3(0.904) 1.4(0.903)

Description (partial)

The vulnerability is due to insufficient input validation of some parameters passed via HTTP GET or POST methods. An attacker could exploit this vulnerability by intercepting the user packets and injecting the malicious code. An exploit could allow the attacker to execute arbitrary script
code in the context of the affected site or allow the attacker to access sensitive browser-based information.

Specific to /admin/supportBundleAction.do [selectedItemName parameter]
Symptom:A vulnerability in the Identity Service Engine (ISE) Infra Admin UI could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack.

Conditions:The vulnerability is due to insufficient input validation of some parameters passed via HTTP GET or POST methods. An attacker could exploit this vulnerability by intercepting the user packets and injecting the malicious code. An exploit could allow the attacker to execute arbitrary script
code in the context of the affected site or allow the attacker to access sensitive browser-based information.

Specific to /admin/supportBundleAction.do [selectedItemName parameter]
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.