Cisco Identity Services Engine Cross Site Scripting and HTML-injection Vulnerabilities

Bugtraq ID:	106513
Class:	Input Validation Error
CVE:	CVE-2018-15440 CVE-2018-15463
Remote:	Yes
Local:	No
Published:	Jan 09 2019 12:00AM
Updated:	Jan 09 2019 12:00AM
Credit:	Pedro Ribeiro and Olivier Arteau of Groupe Technologie Desjardins.
Vulnerable:	Cisco Identity Services Engine 2.4(0.357) Cisco Identity Services Engine 0
Not Vulnerable:

Cisco Identity Services Engine Cross Site Scripting and HTML-injection Vulnerabilities

Cisco Identity Services Engine is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability.

An attacker can exploit these vulnerabilities to execute arbitrary HTML script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or perform unauthorized actions. Other attacks are also possible.

This issue being tracked by Cisco Bug ID's CSCvm71860 and CSCvm79609.

Cisco Identity Services Engine Cross Site Scripting and HTML-injection Vulnerabilities

To exploit these issues, an attacker must entice an unsuspecting victim to follow a malicious URI or visit a malicious website.

Cisco Identity Services Engine Cross Site Scripting and HTML-injection Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Cisco Identity Services Engine Cross Site Scripting and HTML-injection Vulnerabilities

References:

• Cisco Homepage (Cisco)
  
• Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities (Cisco)