Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based application interface of the Cisco Identity Services Engine (ISE) portal could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of an affected system.

The vulnerability is due to insufficient input validation and output-encoding parameters for data that is passed between an affected client and server. An attacker could exploit this vulnerability by intercepting targeted user packets and injecting malicious code into the targeted traffic stream. A successful exploit could allow the attacker to inject script code into the HTTP flow between the targeted user and the affected system.

For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors [“https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-understanding-xss”] and the OWASP reference page Cross-site Scripting (XSS) [“https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)”].

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise1 [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise1”]