Richard Conner

Name of the Vulnerable Software and Affected Versions: Cisco Identity Services Engine (affected versions not specified) Description: The issue is related to errors in password storage within the administrative web interface of the Cisco Identity Services Engine platform. This could allow a remote attacker to gain unauthorized access to protected information. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin portal. An attacker with read or write access to the Admin portal could exploit this by browsing to a page containing sensitive data, potentially recovering passwords and exposing accounts to further attack. Recommendations: For Cisco Identity Services Engine, update to a version that includes the software updates released by Cisco to address this issue. As a temporary workaround, consider restricting access to the Admin portal to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Identity Services Engine (ISE) (affected versions not specified) **Description** A vulnerability in the web-based management interface could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The issue is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this by crafting a malicious configuration and saving it to the targeted system, potentially allowing the execution of arbitrary script code in the context of the affected interface or access to sensitive, browser-based information when an administrator views the configuration. The attacker would need write permissions to exploit this successfully. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.