Cisco于11月2日发布了安全更新,修复其部分产品中的多个漏洞。其中最严重的是跨站请求伪造漏洞(CVE-2022-20961),它影响了身份服务引擎(ISE),根本原因是基于Web的管理界面的CSRF保护不足。以及ISE产品中的访问控制不足漏洞(CVE-2022-20956),可通过向目标发送特制的HTTP请求来利用。此外,还修复了Cisco ESA和Cisco Secure Email and Web Manager Next Generation Management中的SQL注入漏洞(CVE-2022-20867)和提权漏洞(CVE-2022-20868)等。
The most severe vulnerability addressed by the IT giant is a cross-site request forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score of 8.8), that impacts the Identity Services Engine (ISE). An unauthenticated, remote attacker can exploit the vulnerability to perform arbitrary actions on a vulnerable device. The root cause of the issue is the insufficient CSRF protections for the web-based management interface of an affected device.
“A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a