Cisco ISE Vulnerability: Arbitrary Actions Possible via CSRF
CVE-2024-20486

8.8HIGH

Key Information:

Vendor: Cisco
Status: Cisco Identity Services Engine Software
Vendor: CVE Published:; 21 August 2024

Summary

A security vulnerability in the management interface of Cisco Identity Services Engine (ISE) allows unauthenticated remote attackers to execute CSRF attacks. This exploit hinges on insufficient CSRF protections, enabling attackers to manipulate the device by coercing a user into clicking a specially crafted link. Through successful exploitation, an attacker can execute arbitrary actions on the device as if they were the legitimate user, posing significant risks to data integrity and security.

Affected Version(s)

Cisco Identity Services Engine Software 2.7.0

Cisco Identity Services Engine Software 2.7.0 p1

Cisco Identity Services Engine Software 2.7.0 p2

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 21, 2024
Vulnerability Reserved
Nov 8, 2023