CVE-2023-20030
Cisco Identity Services Engine XML External Entity Injection Vulnerability
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side request forgery (SSRF) attack through an affected device, or negatively impact the responsiveness of the web-based management interface itself. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of confidential information. A successful exploit could also cause the web application to perform arbitrary HTTP requests on behalf of the attacker or consume memory resources to reduce the availability of the web-based management interface. To successfully exploit this vulnerability, an attacker would need valid Super Admin or Policy Admin credentials.
| CWE | CWE-611 |
| Vendor | cisco |
| Product | cisco identity services engine software |
| Ecosystems | |
| Industries | NetworkingTelecommunications |
| Published | Apr 5, 2023 |
| Last Updated | Oct 25, 2024 |
Get instant alerts for cisco cisco identity services engine software
Be the first to know when new medium vulnerabilities affecting cisco cisco identity services engine software are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L