6.1

CVE-2023-20120

Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Cisco Secure Email Gateway, formerly Cisco Email Security Appliance (ESA); and Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory.

Data is provided by the National Vulnerability Database (NVD)
CiscoSecure Email And Web Manager Version14.0.0-418
CiscoSecure Email And Web Manager Version14.0.1-033
CiscoSecure Email And Web Manager Version14.0.1-053
CiscoSecure Email And Web Manager Version15.0.0-050
CiscoSecure Email And Web Manager Version15.0.0-256
CiscoSecure Email Gateway Version14.0.0-418
CiscoSecure Email Gateway Version14.0.1-033
CiscoSecure Email Gateway Version14.0.1-053
CiscoSecure Email Gateway Version15.0.0-050
CiscoSecure Email Gateway Version15.0.0-256
CiscoWeb Security Appliance Version14.0.0-418
CiscoWeb Security Appliance Version14.0.1-033
CiscoWeb Security Appliance Version14.0.1-053
CiscoWeb Security Appliance Version15.0.0-050
CiscoWeb Security Appliance Version15.0.0-256
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.12% 0.278
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
psirt@cisco.com 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.