Sign-up

ID

VAR-202211-1102


CVE

CVE-2022-20967


TITLE

Cisco Identity Services Engine  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-006002

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to conduct cross-site scripting attacks against other users of the application web-based management interface. This vulnerability is due to improper validation of input to an application feature before storage within the web-based management interface. An attacker could exploit this vulnerability by creating entries within the application interface that contain malicious HTML or script code. A successful exploit could allow the attacker to store malicious HTML or script code within the application interface for use in further cross-site scripting attacks. Cisco has not yet released software updates that address this vulnerability. For more information about these vulnerabilities, see the Details section of this advisory. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx

Trust: 1.8

sources: NVD: CVE-2022-20967 // JVNDB: JVNDB-2022-006002 // VULHUB: VHN-405520 // VULMON: CVE-2022-20967

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:2.7.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:ltversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.1

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:2.6.0

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.2

Trust: 1.0

vendor:ciscomodel:identity services enginescope:eqversion:3.0.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco identity services enginescope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco identity services enginescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-006002 // NVD: CVE-2022-20967

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-20967
value: MEDIUM

Trust: 1.8

ykramarz@cisco.com: CVE-2022-20967
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202211-2956
value: MEDIUM

Trust: 0.6

NVD:
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

ykramarz@cisco.com:
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2022-20967
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-006002 // CNNVD: CNNVD-202211-2956 // NVD: CVE-2022-20967 // NVD: CVE-2022-20967

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405520 // JVNDB: JVNDB-2022-006002 // NVD: CVE-2022-20967

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-2956

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202211-2956

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-20967

PATCH
title:cisco-sa-ise-7Q4TNYUxurl:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux
Trust: 0.8
title:Cisco Identity Services Engine Fixes for cross-site scripting vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqbyid.tag?id=222192
Trust: 0.6
title:Cisco: Cisco Identity Services Engine Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ise-7q4tnyux
Trust: 0.1
sources:
            
            
            VULMON: CVE-2022-20967 // 
            
            
            
            JVNDB: JVNDB-2022-006002 // 
            
            
            
            CNNVD: CNNVD-202211-2956

EXTERNAL IDS
db:NVDid:CVE-2022-20967
Trust: 3.4
db:JVNDBid:JVNDB-2022-006002
Trust: 0.8
db:AUSCERTid:ESB-2022.5984.4
Trust: 0.6
db:AUSCERTid:ESB-2022.5984.2
Trust: 0.6
db:CNNVDid:CNNVD-202211-2956
Trust: 0.6
db:VULHUBid:VHN-405520
Trust: 0.1
db:VULMONid:CVE-2022-20967
Trust: 0.1
sources:
            
            
            VULHUB: VHN-405520 // 
            
            
            
            VULMON: CVE-2022-20967 // 
            
            
            
            JVNDB: JVNDB-2022-006002 // 
            
            
            
            CNNVD: CNNVD-202211-2956 // 
            
            
            
            NVD: CVE-2022-20967

REFERENCES
url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2022-20967
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-7q4tnyux
Trust: 0.7
url:https://www.auscert.org.au/bulletins/esb-2022.5984.2
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-20967/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2022.5984.4
Trust: 0.6
sources:
            
            
            VULHUB: VHN-405520 // 
            
            
            
            VULMON: CVE-2022-20967 // 
            
            
            
            JVNDB: JVNDB-2022-006002 // 
            
            
            
            CNNVD: CNNVD-202211-2956 // 
            
            
            
            NVD: CVE-2022-20967

SOURCES
db:VULHUBid:VHN-405520
db:VULMONid:CVE-2022-20967
db:JVNDBid:JVNDB-2022-006002
db:CNNVDid:CNNVD-202211-2956
db:NVDid:CVE-2022-20967

LAST UPDATE DATE
2024-01-29T19:24:47.558000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-405520date:2023-01-26T00:00:00
db:JVNDBid:JVNDB-2022-006002date:2023-06-23T08:09:00
db:CNNVDid:CNNVD-202211-2956date:2023-01-28T00:00:00
db:NVDid:CVE-2022-20967date:2024-01-25T17:15:23.360

SOURCES RELEASE DATE
db:VULHUBid:VHN-405520date:2023-01-20T00:00:00
db:JVNDBid:JVNDB-2022-006002date:2023-06-23T00:00:00
db:CNNVDid:CNNVD-202211-2956date:2022-11-16T00:00:00
db:NVDid:CVE-2022-20967date:2023-01-20T07:15:11.673