CVE-2024-20531XML External Entity (XXE) Injection in Cisco Identity Services Engine Software

CWE-611XML External Entity (XXE) InjectionCWE-918Server-Side Request ForgeryCWE-22Path TraversalCWE-79Cross-site Scripting4 documents4 sources
Severity
6.5MEDIUMNVD
CNA5.5
EPSS
0.3%
top 47.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Identity Services Engine SoftwareCisco Identity Services Engine
Timeline
PublishedNov 6

Description

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side request forgery (SSRF) attack through an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing XML input. An attacker could exploit this vulnerability by sendin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

🔴Vulnerability Details

2
CVEList
Cisco Identity Services Engine XML External Entity Injection Vulnerability2024-11-06
GHSA
GHSA-38gf-q933-q62g: A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an2024-11-06

📋Vendor Advisories

1
Cisco
Cisco Identity Services Engine Vulnerabilities2024-11-06