SQL Injection in Cisco Identity_services_engine_software

CVE-2014-3275

SQL injection vulnerability in the web framework in Cisco Identity Services Engine (ISE) 1.2(.1 patch 2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCul21337.

Vulnerability class: SQL Injection

EPSS: 0.003 (51.6th percentile) — read the EPSS interpretation.

Affected products

Cisco Identity_services_engine_software — versions 1.0, 1.1
N/a — versions n/a

Weakness classification (CWE)

CWE-89 — SQL Injection

References

67555 (vdb-entry, x_refsource_BID)
20140521 Cisco ISE Blind SQL Injection Vulnerability (x_refsource_CISCO, vendor-advisory, Vendor Advisory)
1030273 (vdb-entry, x_refsource_SECTRACK)
psirt@cisco.com (x_refsource_CONFIRM, Vendor Advisory)