CVE-2018-15456 — Sensitive Information Exposure in Cisco Identity Services Engine Software

CWE-200 — Sensitive Information Exposure CWE-522 — Insufficiently Protected Credentials4 documents4 sources

Severity

4.9MEDIUMNVD

CNA4.3

EPSS

0.1%

top 65.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Software Cisco Identity Services Engine

Timeline

PublishedJan 10

Latest updateMay 13

Description

A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin Portal. An attacker with read or write access to the Admin Portal could exploit this vulnerability by browsing to a page that contains sensitive data. An exploit could allow the attacker to recover passwords for unauthoriz…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDcisco/identity_services_engine4 versions+3

▶CVEListV5cisco/cisco_identity_services_engine_softwaren/a

🔴Vulnerability Details

GHSA

GHSA-p8fm-vh24-mr35: A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in p↗2022-05-13

▶

CVEList

Cisco Identity Services Engine Password Recovery Vulnerability↗2019-01-10

▶

📋Vendor Advisories

Cisco

Cisco Identity Services Engine Password Recovery Vulnerability↗2019-01-09

▶