CVE-2014-3275
medium
CVSS v3
—
CVSS v2
6.5
VIR risk
6.5
Description
SQL injection vulnerability in the web framework in Cisco Identity Services Engine (ISE) 1.2(.1 patch 2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCul21337.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@cisco.com — http://tools.cisco.com/security/center/viewAlert.x?alertId=34328
Vendor advisory: psirt@cisco.com — http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3275
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cisco | identity_services_engine_software | {"endIncluding":"1.2"} | |
| cisco | identity_services_engine_software | 1.0 | |
| cisco | identity_services_engine_software | 1.1 | |
References
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3275
- http://tools.cisco.com/security/center/viewAlert.x?alertId=34328
- http://www.securityfocus.com/bid/67555
- http://www.securitytracker.com/id/1030273
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3275
- http://tools.cisco.com/security/center/viewAlert.x?alertId=34328
- http://www.securityfocus.com/bid/67555
- http://www.securitytracker.com/id/1030273
CWEs
CWE-89
Verify integrity in audit chain (admin only). AS-IS.