CVE-2023-20272

21.11.2023, 19:15

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to upload malicious files to the web root of the application. This vulnerability is due to insufficient file input validation. An attacker could exploit this vulnerability by uploading a malicious file to the web interface. A successful exploit could allow the attacker to replace files and gain access to sensitive server-side information.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.7 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
cisco	CNA	6.7 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 53%

Vendor	Product	Version
cisco	identity_services_engine	3.0.0
cisco	identity_services_engine	3.0.0:patch1
cisco	identity_services_engine	3.0.0:patch2
cisco	identity_services_engine	3.0.0:patch3
cisco	identity_services_engine	3.0.0:patch4
cisco	identity_services_engine	3.0.0:patch5
cisco	identity_services_engine	3.0.0:patch6
cisco	identity_services_engine	3.0.0:patch7
cisco	identity_services_engine	3.1
cisco	identity_services_engine	3.1:patch1
cisco	identity_services_engine	3.1:patch2
cisco	identity_services_engine	3.1:patch3
cisco	identity_services_engine	3.1:patch4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-424 - Improper Protection of Alternate Path
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-mult-j-KxpNynR