Cisco Identity Services Engine Stored and Reflected Cross-Site Scripting Vulnerabilities

Multiple cross-site scripting vulnerabilities have been identified in the web-based management interface of Cisco Identity Services Engine (ISE). These vulnerabilities allow an authenticated, remote attacker with administrative write privileges to conduct stored or reflected cross-site scripting attacks against users of the interface. The issues arise from inadequate sanitization of user-supplied data, which can be exploited by convincing a user to click a specific link or view an affected page. The injected script could execute in the context of the management interface or access sensitive browser information.

Impact

Exploitation of these vulnerabilities could lead to stored or reflected cross-site scripting, allowing for the execution of injected scripts in the context of the user's session.

Remediation

Users are advised to upgrade to Cisco ISE version 3.2 Patch 8, 3.3 Patch 5, or 3.4 Patch 2. For instructions on upgrading, see the Cisco Identity Service Engine support page.