CVE-2022-20961: Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability

Cisco on Wednesday informed customers that security updates are available for several of the company’s products, including Cisco Identity Services Engine, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Next Generation Management, BroadWorks CommPilot Application Software, Email Security Appliance and Cisco Secure Email and Web Manager and more…

Two vulnerabilities have been classified by the networking giant as “high.” Tracked as CVE-2022-20961, and CVE-2022-20956, the flaws affect the Cisco Identity Services Engine and they can be exploited by an attacker to perform malicious activities.

CVE-2022-20961 (CVSS score: 8.8) was caused by insufficient CSRF protections for the web-based management interface of an affected device. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform arbitrary actions on the affected device with the privileges of the target user. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. This bug affects the Identity Services Engine version prior 3.2.

Cisco says there is no indication that this bug has been exploited for malicious purposes.

CVE-2022-20956 (CVSS score: 7.1) was caused by improper access control in the web-based management interface. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass authorization and access system files. This bug affects the Identity Services Engine versions 3.1 and 3.2.

The company says there is a proof-of-concept exploit code for the vulnerability.