Re: CSCvg86743 - Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

sierra_co · ‎05-17-2018

I noticed that this bug is listed as "fixed", but there's no information regarding the fix or any software releases that might provide it.

So, what's the fix?

cwarren4101 · ‎05-18-2018

And also for the Cisco engineers maintaining ISE. You are releasing patches for multiple different versions of ISE without documenting what is fixed in each patch. Justifying applying the patch to mgmt is impossible without this documentation. Please consider using a documentation similar to what is used for the ASA product which clearly details what is fixed with each release.

sthkhealth · ‎05-25-2018

@sierra_co wrote:

I noticed that this bug is listed as "fixed", but there's no information regarding the fix or any software releases that might provide it.

So, what's the fix?

Hi

Look in the section;

Further Problem Description:
The issue was triggered due to a hole in the import reporting process on the UI side.
The issue was fixed in release 2.2.

Not obvious though!

cwarren4101 · ‎05-25-2018

Yes but the other issue with this bugid and others for ISE is the "details" section. Under products only "Cisco Identity Services Engine (ISE) 3300 Series Appliances" is listed. This may be incorrect as the bug probably affects ISE installed on other platforms as well, not just ISE installed on this piece of hardware.

This is an important point as some of us must to justify to mgmt. why a patch should be applied and mgmt. seeing this may assume the bug only applies when ISE is installed on the "Cisco Identity Services Engine (ISE) 3300 Series Appliances" platform.

sierra_co · ‎05-25-2018

Thanks! It looks like information with the problem description was just recently added, as it was not there originally. It's great to see that someone updated it!