Cisco ISE Sponsor Portal SQL Injection Vulnerability (CVE-2019-1942)

Vulnerability Key Information Basic Information Advisory ID: cisco-sa-20190717-ise-sql-inject First Published: July 17, 2019, 16:00 GMT Version 1.0: Final CVE ID: CVE-2019-1942 CWE ID: CWE-89 Cisco Bug ID: CSCvp29278 CVSS Score: Base 4.3 Vulnerability Summary Description: A vulnerability exists in the sponsor portal web interface of Cisco Identity Services Engine (ISE) that may allow an authenticated remote attacker to compromise the integrity of affected systems by executing arbitrary SQL queries. Cause: Due to insufficient validation of user-supplied input, an attacker can exploit this vulnerability by sending specially crafted input containing SQL statements to the affected system. Successful exploitation could allow the attacker to modify entries in certain database tables, thereby affecting data integrity. Mitigations: No mitigations are available. Link: Cisco Security Advisory Affected Products Affected Product Versions: Cisco ISE running software versions 2.6.0 and earlier. Fixed Software Recommendation: Customers should regularly review Cisco product security advisories when considering software upgrades to determine exposure and develop comprehensive upgrade solutions. Exploitation and Public Announcements Status: Cisco Product Security Incident Response Team (PSIRT) has not identified any public announcements or malicious use related to this vulnerability. Vulnerability Origin Discovery Method: Discovered during internal security testing. URL Cisco Security Advisory Revision History Version 1.0: July 17, 2019 - Initial public release, status marked as final.

Goal Reached Thanks to every supporter — we hit 100%!

Cisco ISE Sponsor Portal SQL Injection Vulnerability (CVE-2019-1942)