Cisco Identity Services Engine (ISE) is a platform that collects real-time information from networks, users, and devices to monitor and enforce policies for network governance. Cisco ISE can detect all attacks on the network and alleviate the pressure of complex access management.
On August 11, Cisco released a security update to fix critical vulnerabilities, including cross-site scripting attacks, found in Cisco ISE. Here are the details of the vulnerabilities:
Vulnerability Details
CVE-2021-1603, CVE-2021-1604, CVE-2021-1605, CVE-2021-1606, CVE-2021-1607 CVSS Score: 4.8 Medium
Cisco Identity Services Engine (ISE) has multiple vulnerabilities in its web-based management interface that may allow authenticated remote attackers to conduct stored cross-site scripting (XSS) attacks on users.
These vulnerabilities exist because the web-based management interface does not adequately validate user input. Attackers can exploit these vulnerabilities by injecting malicious code into specific pages of the interface. Successful exploitation may allow attackers to execute arbitrary script code or access sensitive browser-based information in the context of the affected interface. To exploit these vulnerabilities, attackers require valid management credentials.
Affected Products
At the time of release, these vulnerabilities affect Cisco ISE versions earlier than the following:
2.6 Patch 9
2.7 Patch 4
3.0 Patch 3
Solution
At the time of release, the following Cisco ISE versions contain fixes for these vulnerabilities:
2.6 Patch 9 and later versions
2.7 Patch 4 and later versions
3.0 Patch 3 and later versions
For more information on the vulnerabilities and upgrades, please visit the official website.
