SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Cisco Identity Services Engine Vendors:   Cisco
Cisco Identity Services Engine Bugs Let Remote Users Upload and View Files and Cause Denial of Service Conditions
SecurityTracker Alert ID:  1029187
SecurityTracker URL:  http://securitytracker.com/id/1029187
CVE Reference:   CVE-2013-5538, CVE-2013-5539, CVE-2013-5540, CVE-2013-5541   (Links to External Site)
Date:  Oct 16 2013
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via network
Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in Cisco Identity Services Engine. A remote authenticated user can cause denial of service conditions. A remote authenticated user can upload files to the target system. A remote user can view files on the target system.

A remote user can exploit a file permissions flaw in the Sponsor Portal to access files that have been uploaded to the Sponsor Portal [CVE-2013-5538]. The vendor has assigned bug ID CSCui67506 to this vulnerability.

A remote authenticated user can exploit a flaw in the file upload dialog to upload a file with an alternate file type [CVE-2013-5539]. The vendor has assigned bug ID CSCui67511 to this vulnerability.

A remote authenticated user can exploit a flaw in the file upload management of Cisco Identity Services Engine to upload multiple files to a specific location of the filesystem and consume all available disk space [CVE-2013-5540]. This will cause the administrative interface to become unavailable. The vendor has assigned bug ID CSCui67519 to this vulnerability.

A remote authenticated user can exploit a flaw in the file upload filename parsing routine to upload a file with an arbitrary filename [CVE-2013-5541]. This can facilitate cross-site scripting attacks against web interface users. The vendor has assigned bug ID CSCui67495 to this vulnerability.

Impact:   A remote authenticated user can upload files to the target system.

A remote authenticated user can cause denial of service conditions on the target system.

A remote user can view files on the target system.

A remote user can view files on the target system.

Solution:   No solution was available at the time of this entry.

The vendor's advisories are available at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5538
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5539
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5540
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5541

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5538 (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC