CVE-2024-20466

MEDIUM

Cisco Identity Services Engine - Authenticated Sensitive Information Exposure via Web Management Interface

Title source: llm

Description

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with read-only Administrator privileges for the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system.

References (1)

Core 1

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-info-exp-vdF8Jbyk

Scores

CVSS v3 6.5

EPSS 0.0017

EPSS Percentile 38.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-863

Status published

Products (4)

cisco/identity_services_engine 3.1.0 (10 CPE variants)

cisco/identity_services_engine 3.2.0 (5 CPE variants)

cisco/identity_services_engine 3.3.0 (2 CPE variants)

cisco/identity_services_engine 2.7.0 - 3.1

Published Aug 21, 2024

Tracked Since Feb 18, 2026