Cisco Identity Services Engine Cross Site Scripting and HTML-injection Vulnerabilities

Cisco Identity Services Engine is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability.

An attacker can exploit these vulnerabilities to execute arbitrary HTML script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or perform unauthorized actions. Other attacks are also possible.

This issue being tracked by Cisco Bug ID's CSCvm71860 and CSCvm79609.

Information

Bugtraq ID: 106513
Class: Input Validation Error
CVE: CVE-2018-15440
CVE-2018-15463

Remote: Yes
Local: No
Published: Jan 09 2019 12:00AM
Updated: Jan 09 2019 12:00AM
Credit: Pedro Ribeiro and Olivier Arteau of Groupe Technologie Desjardins.
Vulnerable: Cisco Identity Services Engine 2.4(0.357)
Cisco Identity Services Engine 0

Not Vulnerable:

Exploit

To exploit these issues, an attacker must entice an unsuspecting victim to follow a malicious URI or visit a malicious website.

References:

Cisco Homepage (Cisco)
Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities (Cisco)

Source: www.securityfocus.com

Exploit Collector

Search Exploit