Cisco's identified a bug in its Identity Services Engine: its admin portal doesn't properly authorise HTML requests, and that can let an attacker see custom pages an admin has created.
The reason it matters is that sys admins' custom pages can contain sensitive security information about the network that ISE is managing.
“The vulnerability is due to lack of access control for the uploaded HTML files. An attacker could exploit this vulnerability by crafting an HTTP request that points to the filename of the customised page”, the security note states.
The company says it's seen exploit code for the vulnerability, but so far isn't aware of any code in the wild. However, it hasn't yet been able to produce a software update.
Cisco advises admins not to put sensitive information into ISE custom pages, and recommends that access control lists to restrict access to custom pages to trusted machines. ®