Cisco addressed several high-severity flaws in its productsSecurity Affairs

Cisco addressed multiple flaws impacting its products, including high-severity issues in identity, email, and web security solutions.

Cisco addressed multiple vulnerabilities impacting some of its products, including high-severity flaws in identity, email, and web security products.

The most severe vulnerability addressed by the IT giant is a cross-site request forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score of 8.8), that impacts the Identity Services Engine (ISE). An unauthenticated, remote attacker can exploit the vulnerability to perform arbitrary actions on a vulnerable device. The root cause of the issue is the insufficient CSRF protections for the web-based management interface of an affected device.

“A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.” reads the advisory. “This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the target user.”

Cisco also addressed an Insufficient Access Control vulnerability, tracked as CVE-2022-20956 (CVSS score of 7.1), in its ISE product. The flaw is caused by improper access control in the web-based management interface and an attacker can trigger it by sending specially-crafted HTTP requests to affected devices.

“This vulnerability is due to improper access control in the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.” reads the advisory. “A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to.”

The Cisco PSIRT is aware of the availability of proof-of-concept exploit code for the vulnerability.

The company also fixed a SQL Injection Vulnerability, tracked as CVE-2022-20867, and a Privilege Escalation Vulnerability, tracked as CVE-2022-20868, in the Cisco ESA and Cisco Secure Email and Web Manager Next Generation Management.

The IT giant is also investigating the potential impact of the OpenSSL vulnerabilities tracked as CVE-2022-3602 and CVE-2022-3786.

Detailed information on the issues addressed by the vendor are available on Cisco’s product security page.

Follow me on Twitter: @securityaffairs and Facebook