CSCwh70696 - Cisco ISE Stored Cross-Site Scripting Vulnerability

adeelshahzad · ‎01-19-2024

Dear All,

Recently, there is a vulnerability found called cross-site scripting(CVE-2024-20251) in ISE and as per cisco article fixed release is mentioned below which is little confusing about the fixed version. For instance, who has 2.7 version so which version has vulnerability fix that is not clearly mentioned in below table.

Can someone address the same and mentioned the version which has the vulnerability fix for version 2.7. Since in below table simply mentioned "Migrate to a fixed release" for 2.7 and 3.0 but which version has to migrate its no mentioned.

May be, I have missed something. Appreciate if someone can elaborate. Thanks.

Cisco ISE Release First Fixed Release

2.7 and earlier	Migrate to a fixed release.
3.0	Migrate to a fixed release.
3.1	3.1P8
3.2	3.2P5 (Mar 2024)
3.3	3.3P1

marce1000 · ‎01-19-2024

- As for the older releases 2.7 and 3.0 ; fix was probably still in development ; the full bug report seems rather clear
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh70696

Known Fixed Releases (2 of 2)

3.3.0.430-Patch1

           3.1.0.518-Patch8

           So that implies that there is no fix within  the 2.7 (EOL by the way) and the 3.0 train
 
 M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

adeelshahzad · ‎01-21-2024

Hi Marce,

Thank you.

Dustin Anderson · ‎01-19-2024

Migrate to fixed release means they are not planning to patch those versions as they are end of support, so to get the fix you would need to upgrade to at least 3.1 or higher.

adeelshahzad · ‎01-21-2024

Hi Dustin,

Thank you.