A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote…
cisco·CWE-79·Published 2020-09-23
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface of the affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information.
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface of the affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information.
Una vulnerabilidad en la interfaz de administración basada en web de Cisco Email Security Appliance (ESA), podría permitir a un atacante remoto no autenticado conducir a ataques de tipo cross-site scripting (XSS) contra un usuario de la interfaz de administración basada en web de un dispositivo afectado. La vulnerabilidad se presenta porque la interfaz de administración basada en web del dispositivo afectado no comprueba apropiadamente la entrada proporcionada por el usuario. Un atacante podría explotar esta vulnerabilidad al persuadir a un usuario para que haga clic en un enlace malicioso. Una explotación con éxito podría permitir al atacante ejecutar código script arbitrario en el contexto de la interfaz afectada o acceder a información confidencial basada en el navegador
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.3 | 8.6 | 2.9 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| 3.0 | Primary | cve.org | 6.1 | — | — | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| 3.0 | Secondary | NVD | 6.1 | 2.8 | 2.7 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| 3.1 | Primary | NVD | 6.1 | 2.8 | 2.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |