"Cisco Addressed Several High-Severity Flaws in Its Products"

Cisco has patched several vulnerabilities in some of its products, including critical flaws in identity, email, and web security products. The most severe flaw addressed by Cisco is a Cross-Site Request Forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score: 8.8), which affects the Identity Services Engine (ISE). The exploitation of this flaw enables an unauthenticated, remote attacker to perform arbitrary actions on a vulnerable device. The root cause of the problem is insufficient CSRF protections for an affected device's web-based management interface. In addition, Cisco addressed an insufficient access control vulnerability in its ISE product, which is tracked as CVE-2022-20956 (CVSS score: 7.1). The flaw stems from improper access control in the web-based management interface, and it can be exploited by sending specially crafted HTTP requests to impacted devices. In addition, the company patched a SQL injection vulnerability (CVE-2022-20867) and a privilege escalation vulnerability (CVE-2022-20868) in the Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager Next Generation Management. The IT giant is also looking into the potential impact of the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786. This article continues to discuss the high-severity issues in Cisco's products that have now been addressed. 

Security Affairs reports "Cisco Addressed Several High-Severity Flaws in Its Products"