First published: Thu Jul 08 2021(Updated: )
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. These vulnerabilities exist because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker would need valid administrative credentials.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Identity Services Engine | <2.6.0 | |
Cisco Identity Services Engine | =2.6\(0.999\) | |
Cisco Identity Services Engine | =2.6.0 | |
Cisco Identity Services Engine | =2.6.0-patch1 | |
Cisco Identity Services Engine | =2.6.0-patch2 | |
Cisco Identity Services Engine | =2.6.0-patch3 | |
Cisco Identity Services Engine | =2.6.0-patch5 | |
Cisco Identity Services Engine | =2.6.0-patch6 | |
Cisco Identity Services Engine | =2.6.0-patch7 | |
Cisco Identity Services Engine | =2.6.0-patch8 | |
Cisco Identity Services Engine | =2.7\(0.356\) | |
Cisco Identity Services Engine | =2.7.0 | |
Cisco Identity Services Engine | =2.7.0-patch1 | |
Cisco Identity Services Engine | =2.7.0-patch2 | |
Cisco Identity Services Engine | =3.0.0 | |
Cisco Identity Services Engine | =3.0.0-patch1 | |
Cisco Identity Services Engine | =3.0.0-patch2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-1604 is a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE).
CVE-2021-1604 has a severity level of medium.
CVE-2021-1604 allows an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user in Cisco Identity Services Engine.
Versions up to and including 2.6.0 of Cisco Identity Services Engine are affected by CVE-2021-1604.
You can fix CVE-2021-1604 by upgrading to a version of Cisco Identity Services Engine that is not affected by the vulnerability.