Details of VAR-202211-1003

ID

VAR-202211-1003

CVE

CVE-2022-20966

TITLE

Cisco Identity Services Engine Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-006003

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks. Cisco has not yet released software updates that address this vulnerability. For more information about these vulnerabilities, see the Details section of this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

Trust: 1.8

sources: NVD: CVE-2022-20966 // JVNDB: JVNDB-2022-006003 // VULHUB: VHN-405519 // VULMON: CVE-2022-20966

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	lt	version:	2.6.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.1	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.6.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.2	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	3.0.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco identity services engine	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-006003 // NVD: CVE-2022-20966

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2022-20966
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2022-20966
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2022-006003
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202211-2960
value:	MEDIUM
Trust: 0.6

NVD:
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-006003
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-006003 // CNNVD: CNNVD-202211-2960 // NVD: CVE-2022-20966 // NVD: CVE-2022-20966

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-405519 // JVNDB: JVNDB-2022-006003 // NVD: CVE-2022-20966

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-2960

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202211-2960

CONFIGURATIONS

sources: NVD: CVE-2022-20966

PATCH

title:	cisco-sa-ise-7Q4TNYUx	url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux	Trust: 0.8
title:	Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqbyid.tag?id=222193	Trust: 0.6
title:	Cisco: Cisco Identity Services Engine Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-7q4tnyux	Trust: 0.1

sources: VULMON: CVE-2022-20966 // JVNDB: JVNDB-2022-006003 // CNNVD: CNNVD-202211-2960

EXTERNAL IDS

db:	NVD	id:	CVE-2022-20966	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-006003	Trust: 0.8
db:	AUSCERT	id:	ESB-2022.5984.4	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.5984.2	Trust: 0.6
db:	CNNVD	id:	CNNVD-202211-2960	Trust: 0.6
db:	VULHUB	id:	VHN-405519	Trust: 0.1
db:	VULMON	id:	CVE-2022-20966	Trust: 0.1

sources: VULHUB: VHN-405519 // VULMON: CVE-2022-20966 // JVNDB: JVNDB-2022-006003 // CNNVD: CNNVD-202211-2960 // NVD: CVE-2022-20966

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-20966	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux	Trust: 0.7
url:	https://www.auscert.org.au/bulletins/esb-2022.5984.2	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-20966/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.5984.4	Trust: 0.6

sources: VULHUB: VHN-405519 // VULMON: CVE-2022-20966 // JVNDB: JVNDB-2022-006003 // CNNVD: CNNVD-202211-2960 // NVD: CVE-2022-20966

SOURCES

db:	VULHUB	id:	VHN-405519
db:	VULMON	id:	CVE-2022-20966
db:	JVNDB	id:	JVNDB-2022-006003
db:	CNNVD	id:	CNNVD-202211-2960
db:	NVD	id:	CVE-2022-20966

LAST UPDATE DATE

2024-01-29T19:24:47.612000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-405519	date:	2023-01-26T00:00:00
db:	JVNDB	id:	JVNDB-2022-006003	date:	2023-06-23T08:15:00
db:	CNNVD	id:	CNNVD-202211-2960	date:	2023-01-28T00:00:00
db:	NVD	id:	CVE-2022-20966	date:	2024-01-25T17:15:23.243

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-405519	date:	2023-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2022-006003	date:	2023-06-23T00:00:00
db:	CNNVD	id:	CNNVD-202211-2960	date:	2022-11-16T00:00:00
db:	NVD	id:	CVE-2022-20966	date:	2023-01-20T07:15:11.377