CVE-2019-15255Improper Access Control in Cisco Identity Services Engine Software

CWE-284Improper Access Control4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 57.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Identity Services Engine SoftwareCisco Identity Services Engine
Timeline
PublishedJan 26
Latest updateMay 24

Description

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access sensitive information related to the device. The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5cisco/cisco_identity_services_engine_softwareunspecifiedn/a
NVDcisco/identity_services_engine2.2, 2.2\(0.470\)+1

🔴Vulnerability Details

2
GHSA
GHSA-p225-mhq8-69hw: A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass2022-05-24
CVEList
Cisco Identity Services Engine Authorization Bypass Vulnerability2020-01-26

📋Vendor Advisories

1
Cisco
Cisco Identity Services Engine Authorization Bypass Vulnerability2020-01-08
CVE-2019-15255 — Improper Access Control in Cisco | cvebase