CVE-2023-20120

Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Cisco Secure Email Gateway, formerly Cisco Email Security Appliance (ESA); and Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:secure_email_and_web_manager:14.0.0-418:::::::*
	cpe:2.3:a:cisco:secure_email_and_web_manager:14.0.1-033:::::::*
	cpe:2.3:a:cisco:secure_email_and_web_manager:14.0.1-053:::::::*
	cpe:2.3:a:cisco:secure_email_and_web_manager:15.0.0-050:::::::*
	cpe:2.3:a:cisco:secure_email_and_web_manager:15.0.0-256:::::::*
	cpe:2.3:a:cisco:secure_email_gateway:14.0.0-418:::::::*
	cpe:2.3:a:cisco:secure_email_gateway:14.0.1-033:::::::*
	cpe:2.3:a:cisco:secure_email_gateway:14.0.1-053:::::::*
	cpe:2.3:a:cisco:secure_email_gateway:15.0.0-050:::::::*
	cpe:2.3:a:cisco:secure_email_gateway:15.0.0-256:::::::*
	cpe:2.3:a:cisco:web_security_appliance:14.0.0-418:::::::*
	cpe:2.3:a:cisco:web_security_appliance:14.0.1-033:::::::*
	cpe:2.3:a:cisco:web_security_appliance:14.0.1-053:::::::*
	cpe:2.3:a:cisco:web_security_appliance:15.0.0-050:::::::*
	cpe:2.3:a:cisco:web_security_appliance:15.0.0-256:::::::*

History

No history.

Information

Published : 2023-06-28 15:15

Updated : 2023-11-07 04:06

NVD link : CVE-2023-20120

Mitre link : CVE-2023-20120

CVE.ORG link : CVE-2023-20120

JSON object : View

Products Affected

cisco

secure_email_and_web_manager
secure_email_gateway
web_security_appliance

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-20120", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2023-06-28T15:15:09.760", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Cisco Secure Email Gateway, formerly Cisco Email Security Appliance (ESA); and Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory."}], "lastModified": "2023-11-07T04:06:06.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:secure_email_and_web_manager:14.0.0-418:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91A23056-1521-4982-8F4D-BCDB6F9E98EE"}, {"criteria": "cpe:2.3:a:cisco:secure_email_and_web_manager:14.0.1-033:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9897B99-0295-4D4D-8EE7-88FB5BC97123"}, {"criteria": "cpe:2.3:a:cisco:secure_email_and_web_manager:14.0.1-053:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "286B37A2-A7B1-44D9-A2BD-56F9C26195A7"}, {"criteria": "cpe:2.3:a:cisco:secure_email_and_web_manager:15.0.0-050:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3774F588-98E5-4197-B858-FF83B5838265"}, {"criteria": "cpe:2.3:a:cisco:secure_email_and_web_manager:15.0.0-256:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99A048C2-7352-4ED5-990F-95467AAB022C"}, {"criteria": "cpe:2.3:a:cisco:secure_email_gateway:14.0.0-418:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02212FE3-CEE6-4609-B9AE-CD228F4ADFFC"}, {"criteria": "cpe:2.3:a:cisco:secure_email_gateway:14.0.1-033:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0DB52EF-1542-4665-AC44-F1E3B074B615"}, {"criteria": "cpe:2.3:a:cisco:secure_email_gateway:14.0.1-053:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "615DD221-9200-41D1-9DAF-CC8BEB67342C"}, {"criteria": "cpe:2.3:a:cisco:secure_email_gateway:15.0.0-050:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AEA665F-86B3-4AA6-9E99-6F935264222A"}, {"criteria": "cpe:2.3:a:cisco:secure_email_gateway:15.0.0-256:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "988AAD9A-B4FD-42C5-B222-53A4E69CE87E"}, {"criteria": "cpe:2.3:a:cisco:web_security_appliance:14.0.0-418:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A694B4F-D454-405B-B620-A899543DA2E8"}, {"criteria": "cpe:2.3:a:cisco:web_security_appliance:14.0.1-033:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB812B1F-3E7E-4AD6-9AA3-241B957A0047"}, {"criteria": "cpe:2.3:a:cisco:web_security_appliance:14.0.1-053:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDE6AB7B-561D-4D50-907B-605CD0649A98"}, {"criteria": "cpe:2.3:a:cisco:web_security_appliance:15.0.0-050:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B71B523B-95F6-463F-B96B-9C301B6FFA9B"}, {"criteria": "cpe:2.3:a:cisco:web_security_appliance:15.0.0-256:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DFDA027-9BED-4DB5-804D-A192FF8138CF"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}