CVE-2020-3156

EPSS 0.21%
Veröffentlicht 19.02.2020 20:15:15
Zuletzt bearbeitet 21.11.2024 05:30:26
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of endpoint data stored in logs used by the web-based interface. An attacker could exploit this vulnerability by sending malicious endpoint data to the targeted system. An exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Identity Services Engine Version2.6.0 Updatepatch1

Cisco ≫ Identity Services Engine Version2.6.0 Updatepatch2

Cisco ≫ Identity Services Engine Version2.6.0 Updatepatch3

Cisco ≫ Identity Services Engine Version2.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.403

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
psirt@cisco.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-s3ekcKch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-3156

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-3156

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-3156

EUVD