Authenticated Remote Web File Upload in Cisco ISE Web UI
CVE-2023-20272 Published on November 21, 2023
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to upload malicious files to the web root of the application. This vulnerability is due to insufficient file input validation. An attacker could exploit this vulnerability by uploading a malicious file to the web interface. A successful exploit could allow the attacker to replace files and gain access to sensitive server-side information.
Vulnerability Analysis
CVE-2023-20272 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Improper Protection of Alternate Path
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
Products Associated with CVE-2023-20272
Want to know whenever a new CVE is published for Cisco Identity Services Engine? stack.watch will email you.
Affected Versions
Cisco Identity Services Engine Software:- Version 3.0.0 is affected.
- Version 3.0.0 p1 is affected.
- Version 3.0.0 p2 is affected.
- Version 3.0.0 p3 is affected.
- Version 3.0.0 p4 is affected.
- Version 3.0.0 p5 is affected.
- Version 3.0.0 p6 is affected.
- Version 3.0.0 p7 is affected.
- Version 3.1.0 is affected.
- Version 3.1.0 p1 is affected.
- Version 3.1.0 p3 is affected.
- Version 3.1.0 p4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.