Cisco Identity Services Engine Improper Web Page Controls Privilege Escalation Vulnerability

2015-06-11T15:51:38
ID CISCO-SA-20150611-CVE-2015-4182
Type cisco
Reporter Cisco
Modified 2015-06-11T15:04:13

Description

A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or modify certain device settings.

The vulnerability is due to improper controls on certain pages in the web interface. An attacker with authenticated access to the administrative web interface could access pages that should be restricted to a more privileged access roll.

Cisco has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement decreases the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.