CVE-2023-20272: Input Validation
First published: Tue Nov 21 2023(Updated: )
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to upload malicious files to the web root of the application. This vulnerability is due to insufficient file input validation. An attacker could exploit this vulnerability by uploading a malicious file to the web interface. A successful exploit could allow the attacker to replace files and gain access to sensitive server-side information.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Identity Services Engine | =3.0.0 | |
| Cisco Identity Services Engine | =3.0.0-patch1 | |
| Cisco Identity Services Engine | =3.0.0-patch2 | |
| Cisco Identity Services Engine | =3.0.0-patch3 | |
| Cisco Identity Services Engine | =3.0.0-patch4 | |
| Cisco Identity Services Engine | =3.0.0-patch5 | |
| Cisco Identity Services Engine | =3.0.0-patch6 | |
| Cisco Identity Services Engine | =3.0.0-patch7 | |
| Cisco Identity Services Engine | =3.1 | |
| Cisco Identity Services Engine | =3.1-patch1 | |
| Cisco Identity Services Engine | =3.1-patch2 | |
| Cisco Identity Services Engine | =3.1-patch3 | |
| Cisco Identity Services Engine | =3.1-patch4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-20272?
CVE-2023-20272 is a vulnerability in the web-based management interface of Cisco Identity Services Engine that allows an authenticated, remote attacker to upload malicious files to the web root of the application.
How severe is CVE-2023-20272?
CVE-2023-20272 has a severity rating of 8.8 (high).
What is the affected software version?
The affected software versions are Cisco Identity Services Engine 3.0.0, 3.0.0-patch1, 3.0.0-patch2, 3.0.0-patch3, 3.0.0-patch4, 3.0.0-patch5, 3.0.0-patch6, 3.0.0-patch7, 3.1, 3.1-patch1, 3.1-patch2, 3.1-patch3, and 3.1-patch4.
How can an attacker exploit CVE-2023-20272?
An attacker can exploit CVE-2023-20272 by leveraging insufficient file input validation to upload malicious files to the web root of the application.
Where can I find more information about CVE-2023-20272?
More information about CVE-2023-20272 can be found at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-mult-j-KxpNynR
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/weakness
- agent/tags
- agent/description
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/cisco
- canonical/cisco identity services engine
- version/cisco identity services engine/3.0.0
- version/cisco identity services engine/3.0.0-patch1
- version/cisco identity services engine/3.0.0-patch2
- version/cisco identity services engine/3.0.0-patch3
- version/cisco identity services engine/3.0.0-patch4
- version/cisco identity services engine/3.0.0-patch5
- version/cisco identity services engine/3.0.0-patch6
- version/cisco identity services engine/3.0.0-patch7
- version/cisco identity services engine/3.1
- version/cisco identity services engine/3.1-patch1
- version/cisco identity services engine/3.1-patch2
- version/cisco identity services engine/3.1-patch3
- version/cisco identity services engine/3.1-patch4