CVE-2024-20528Path Traversal in Cisco Identity Services Engine

CWE-22Path TraversalCWE-611XML External Entity (XXE) InjectionCWE-79Cross-site Scripting4 documents4 sources
Severity
7.2HIGHNVD
CNA3.8
EPSS
1.3%
top 20.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Identity Services EngineCisco Identity Services Engine Software
Timeline
PublishedNov 6

Description

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to upload files to arbitrary locations on the underlying operating system of an affected device. To exploit this vulnerability, an attacker would need valid Super Admin credentials. This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDcisco/identity_services_engine3.0.03.1.0+3

🔴Vulnerability Details

2
CVEList
Cisco Identity Services Engine Path Traversal Vulnerability2024-11-06
GHSA
GHSA-rg92-pqp9-j6jp: A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to upload files to arbitrary locations on the underlying operati2024-11-06

📋Vendor Advisories

1
Cisco
Cisco Identity Services Engine Vulnerabilities2024-11-06
CVE-2024-20528 — Path Traversal in Cisco | cvebase