Details of VAR-201610-0337

ID

VAR-201610-0337

CVE

CVE-2016-1423

TITLE

Cisco E Email Security Runs on the appliance device AsyncOS of MIQ Cross-site scripting vulnerability in view email message display

Trust: 0.8

sources: JVNDB: JVNDB-2016-005644

DESCRIPTION

A vulnerability in the display of email messages in the Messages in Quarantine (MIQ) view in Cisco AsyncOS for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a user to click a malicious link in the MIQ view. The malicious link could be used to facilitate a cross-site scripting (XSS) or HTML injection attack. More Information: CSCuz02235. Known Affected Releases: 8.0.2-069. Known Fixed Releases: 9.1.1-038 9.7.2-047. Vendors have confirmed this vulnerability Bug ID CSCuz02235 It is released as.By any third party Web Script or HTML May be inserted. The Cisco AsyncOS operating system is designed to enhance the security and performance of Cisco Email Security appliances. A security vulnerability exists in Cisco AsyncOS that allows an attacker to exploit the vulnerability to bypass certain security restrictions and perform unauthorized operations. This issue is being tracked by Cisco Bug ID CSCuz02235

Trust: 2.52

sources: NVD: CVE-2016-1423 // JVNDB: JVNDB-2016-005644 // CNVD: CNVD-2016-10398 // BID: 93912 // VULHUB: VHN-90242

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-10398

AFFECTED PRODUCTS

vendor:	cisco	model:	email security appliance	scope:	eq	version:	8.9.0	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	9.0.0-212	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	9.1.0-101	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	9.1.0-032	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	8.9.1-000	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	9.1.0	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	9.0.0	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	9.0.0-461	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	9.0.5-000	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	8.9.2-032	Trust: 1.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	9.1.0-011	Trust: 1.0
vendor:	cisco	model:	asyncos	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	e email security the appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	asyncos software	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	asyncos	scope:	eq	version:	-	Trust: 0.3

sources: CNVD: CNVD-2016-10398 // BID: 93912 // JVNDB: JVNDB-2016-005644 // CNNVD: CNNVD-201610-751 // NVD: CVE-2016-1423

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1423
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-1423
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2016-10398
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201610-751
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-90242
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-1423
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-10398
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-90242
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1423
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-10398 // VULHUB: VHN-90242 // JVNDB: JVNDB-2016-005644 // CNNVD: CNNVD-201610-751 // NVD: CVE-2016-1423

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-90242 // JVNDB: JVNDB-2016-005644 // NVD: CVE-2016-1423

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201610-751

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201610-751

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-005644

PATCH

title:	cisco-sa-20161026-esa4	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esa4	Trust: 0.8
title:	CiscoAsyncOS Security Bypass Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/83244	Trust: 0.6
title:	Cisco AsyncOS for Cisco Email Security Appliances Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65107	Trust: 0.6

sources: CNVD: CNVD-2016-10398 // JVNDB: JVNDB-2016-005644 // CNNVD: CNNVD-201610-751

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1423	Trust: 3.4
db:	BID	id:	93912	Trust: 2.6
db:	SECTRACK	id:	1037113	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-005644	Trust: 0.8
db:	CNNVD	id:	CNNVD-201610-751	Trust: 0.7
db:	CNVD	id:	CNVD-2016-10398	Trust: 0.6
db:	VULHUB	id:	VHN-90242	Trust: 0.1

sources: CNVD: CNVD-2016-10398 // VULHUB: VHN-90242 // BID: 93912 // JVNDB: JVNDB-2016-005644 // CNNVD: CNNVD-201610-751 // NVD: CVE-2016-1423

REFERENCES

url:	http://www.securityfocus.com/bid/93912	Trust: 2.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20161026-esa4	Trust: 2.0
url:	http://www.securitytracker.com/id/1037113	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1423	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1423	Trust: 0.8
url:	http://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html	Trust: 0.3
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2016-10398 // VULHUB: VHN-90242 // BID: 93912 // JVNDB: JVNDB-2016-005644 // CNNVD: CNNVD-201610-751 // NVD: CVE-2016-1423

CREDITS

Cisco

Trust: 0.9

sources: BID: 93912 // CNNVD: CNNVD-201610-751

SOURCES

db:	CNVD	id:	CNVD-2016-10398
db:	VULHUB	id:	VHN-90242
db:	BID	id:	93912
db:	JVNDB	id:	JVNDB-2016-005644
db:	CNNVD	id:	CNNVD-201610-751
db:	NVD	id:	CVE-2016-1423

LAST UPDATE DATE

2024-11-23T21:42:44.338000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-10398	date:	2016-10-31T00:00:00
db:	VULHUB	id:	VHN-90242	date:	2017-07-29T00:00:00
db:	BID	id:	93912	date:	2016-11-24T10:04:00
db:	JVNDB	id:	JVNDB-2016-005644	date:	2016-11-01T00:00:00
db:	CNNVD	id:	CNNVD-201610-751	date:	2016-11-23T00:00:00
db:	NVD	id:	CVE-2016-1423	date:	2024-11-21T02:46:24.997

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-10398	date:	2016-10-31T00:00:00
db:	VULHUB	id:	VHN-90242	date:	2016-10-28T00:00:00
db:	BID	id:	93912	date:	2016-10-26T00:00:00
db:	JVNDB	id:	JVNDB-2016-005644	date:	2016-11-01T00:00:00
db:	CNNVD	id:	CNNVD-201610-751	date:	2016-10-28T00:00:00
db:	NVD	id:	CVE-2016-1423	date:	2016-10-28T10:59:00.213