CVE-2024-20532Path Traversal in Cisco Identity Services Engine

CWE-22Path TraversalCWE-611XML External Entity (XXE) InjectionCWE-79Cross-site Scripting4 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
0.3%
top 45.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Identity Services EngineCisco Identity Services Engine Software
Timeline
PublishedNov 6

Description

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read or delete arbitr

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:NExploitability: 1.2 | Impact: 4.2

Affected Packages2 packages

NVDcisco/identity_services_engine3.0.03.1.0+3

🔴Vulnerability Details

2
GHSA
GHSA-9m98-8pf8-hfc4: A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device2024-11-06
CVEList
Cisco Identity Services Engine Arbitrary File Read and Delete Vulnerability2024-11-06

📋Vendor Advisories

1
Cisco
Cisco Identity Services Engine Vulnerabilities2024-11-06
CVE-2024-20532 — Path Traversal in Cisco | cvebase