{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-20961","assignerOrgId":"d1c1063e-7a18-46af-9102-31f8928bc633","state":"PUBLISHED","assignerShortName":"cisco","requesterUserId":"4087f8c1-b21c-479b-99df-de23cb76b743","dateReserved":"2021-11-02T13:28:29.197Z","dateUpdated":"2024-08-03T02:31:58.679Z","datePublished":"2022-11-03T18:45:44.243Z"},"containers":{"cna":{"providerMetadata":{"orgId":"d1c1063e-7a18-46af-9102-31f8928bc633","shortName":"cisco","dateUpdated":"2024-01-25T16:57:26.000Z"},"descriptions":[{"lang":"en","value":"A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.\r\n\r This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the target user."}],"affected":[{"vendor":"Cisco","product":"Cisco Identity Services Engine Software","versions":[{"version":"2.6.0","status":"affected"},{"version":"2.6.0 p1","status":"affected"},{"version":"2.6.0 p2","status":"affected"},{"version":"2.6.0 p3","status":"affected"},{"version":"2.6.0 p5","status":"affected"},{"version":"2.6.0 p6","status":"affected"},{"version":"2.6.0 p7","status":"affected"},{"version":"2.6.0 p8","status":"affected"},{"version":"2.6.0 p9","status":"affected"},{"version":"2.6.0 p10","status":"affected"},{"version":"2.6.0 p11","status":"affected"},{"version":"2.7.0","status":"affected"},{"version":"2.7.0 p1","status":"affected"},{"version":"2.7.0 p2","status":"affected"},{"version":"2.7.0 p3","status":"affected"},{"version":"2.7.0 p4","status":"affected"},{"version":"2.7.0 p5","status":"affected"},{"version":"2.7.0 p6","status":"affected"},{"version":"2.7.0 p7","status":"affected"},{"version":"3.0.0","status":"affected"},{"version":"3.0.0 p1","status":"affected"},{"version":"3.0.0 p2","status":"affected"},{"version":"3.0.0 p3","status":"affected"},{"version":"3.0.0 p4","status":"affected"},{"version":"3.0.0 p5","status":"affected"},{"version":"3.1.0","status":"affected"},{"version":"3.1.0 p1","status":"affected"},{"version":"3.1.0 p3","status":"affected"}]}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Cross-Site Request Forgery (CSRF)","type":"cwe","cweId":"CWE-352"}]}],"references":[{"url":"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-csrf-vgNtTpAs","name":"cisco-sa-ise-csrf-vgNtTpAs"}],"metrics":[{"format":"cvssV3_1","cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"exploits":[{"lang":"en","value":"The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}],"source":{"advisory":"cisco-sa-ise-csrf-vgNtTpAs","discovery":"EXTERNAL","defects":["CSCwb75954"]}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T02:31:58.679Z"},"title":"CVE Program Container","references":[{"url":"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-csrf-vgNtTpAs","name":"cisco-sa-ise-csrf-vgNtTpAs","tags":["x_transferred"]}]}]}}