Cisco ISE API Vulnerability Allows File Uploads and Elevated Privileges
CVE-2024-20528

7.2HIGH

Key Information:

Vendor: Cisco
Status: Identity Services Engine
Vendor: CVE Published:; 6 November 2024

Summary

A vulnerability exists in the API of Cisco Identity Services Engine (ISE) that allows an authenticated remote attacker to upload files to arbitrary locations on the device's operating system. This weakness arises from inadequate validation of parameters from API requests. An attacker with valid Super Admin credentials can exploit this flaw by sending a specially crafted API request, permitting them to upload custom files and potentially execute arbitrary code with elevated privileges.

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 6, 2024