"Vulnerabilities in Cisco Identity Services Engine Require Your Attention"

Cisco is warning administrators of Cisco Identity Services Engine (ISE) solutions about two vulnerabilities that could be exploited to read and delete files on an affected device, as well as execute arbitrary scripts or access sensitive information. The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code for the vulnerability described in this advisory will be made available following the release of software fixes. The company stated that public reports of the vulnerability, including a description and classification without specific technical details, will be made available following the publication of this advisory. Cisco ISE is a policy management and access control platform for devices on networks. It is an essential component of a company's zero-trust architecture. ISE not only ensures software-defined access and automates network segmentation in IT and OT environments but also provides visibility into the network's state. One of the flaws is a path traversal vulnerability in Cisco ISE's web-based management interface that could be exploited by an authenticated, remote attacker. The other flaw is a cross-site scripting (XSS) flaw in Cisco ISE's External RESTful Services (ERS) Application Programming Interface (API). This article continues to discuss the potential exploitation and impact of the vulnerabilities found in Cisco ISE. 

Help Net Security reports "Vulnerabilities in Cisco Identity Services Engine Require Your Attention"