CVE-2023-20030 — XML External Entity (XXE) Injection in Cisco Identity Services Engine

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

6.0MEDIUMNVD

EPSS

0.6%

top 30.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Cisco Identity Services Engine Software

Timeline

PublishedApr 5

Description

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:LExploitability: 1.2 | Impact: 4.7

Affected Packages2 packages

▶NVDcisco/identity_services_engine< 3.2+1

▶CVEListV5cisco/cisco_identity_services_engine_softwaren/a

🔴Vulnerability Details

CVEList

Cisco Identity Services Engine XML External Entity Injection Vulnerability↗2023-04-05

▶

GHSA

GHSA-25m5-5hwm-rp7r: A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access↗2023-04-05

▶

📋Vendor Advisories

Cisco

Cisco Identity Services Engine XML External Entity Injection Vulnerability↗2023-02-01

▶