Details of VAR-201706-0580

ID

VAR-201706-0580

CVE

CVE-2017-6661

TITLE

Cisco ESA and SMA of Web -Based scripting interface cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-004887

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device, aka Message Tracking XSS. More Information: CSCvd30805 CSCvd34861. Known Affected Releases: 10.0.0-203 10.1.0-049. Vendors have confirmed this vulnerability Bug ID CSCvd30805 and CSCvd34861 It is released as.A remote attacker could conduct a cross-site scripting attack. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issues are being tracked by Cisco Bug ID's CSCvd30805 and CSCvd34861. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2017-6661 // JVNDB: JVNDB-2017-004887 // BID: 98950 // VULHUB: VHN-114864

AFFECTED PRODUCTS

vendor:	cisco	model:	content security management appliance	scope:	eq	version:	10.1.0-049	Trust: 2.7
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	10.0.0-203	Trust: 2.4
vendor:	cisco	model:	email security appliance	scope:	eq	version:	10.0.0-203	Trust: 1.9
vendor:	cisco	model:	email security appliance	scope:	eq	version:	10.1.0-049	Trust: 1.6
vendor:	cisco	model:	e email security the appliance	scope:	eq	version:	10.0.0-203	Trust: 0.8
vendor:	cisco	model:	e email security the appliance	scope:	eq	version:	10.1.0-049	Trust: 0.8

sources: BID: 98950 // JVNDB: JVNDB-2017-004887 // CNNVD: CNNVD-201706-363 // NVD: CVE-2017-6661

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6661
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6661
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201706-363
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114864
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6661
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-114864
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6661
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-114864 // JVNDB: JVNDB-2017-004887 // CNNVD: CNNVD-201706-363 // NVD: CVE-2017-6661

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-114864 // JVNDB: JVNDB-2017-004887 // NVD: CVE-2017-6661

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-363

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201706-363

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004887

PATCH

title:

cisco-sa-20170607-esa

url:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esa

Trust: 0.8

sources: JVNDB: JVNDB-2017-004887

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6661	Trust: 2.8
db:	BID	id:	98950	Trust: 2.0
db:	SECTRACK	id:	1038638	Trust: 1.1
db:	SECTRACK	id:	1038637	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-004887	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-363	Trust: 0.7
db:	NSFOCUS	id:	36818	Trust: 0.6
db:	VULHUB	id:	VHN-114864	Trust: 0.1

sources: VULHUB: VHN-114864 // BID: 98950 // JVNDB: JVNDB-2017-004887 // CNNVD: CNNVD-201706-363 // NVD: CVE-2017-6661

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170607-esa	Trust: 2.0
url:	http://www.securityfocus.com/bid/98950	Trust: 1.7
url:	http://www.securitytracker.com/id/1038637	Trust: 1.1
url:	http://www.securitytracker.com/id/1038638	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6661	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6661	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/36818	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-114864 // BID: 98950 // JVNDB: JVNDB-2017-004887 // CNNVD: CNNVD-201706-363 // NVD: CVE-2017-6661

CREDITS

Cisco

Trust: 0.9

sources: BID: 98950 // CNNVD: CNNVD-201706-363

SOURCES

db:	VULHUB	id:	VHN-114864
db:	BID	id:	98950
db:	JVNDB	id:	JVNDB-2017-004887
db:	CNNVD	id:	CNNVD-201706-363
db:	NVD	id:	CVE-2017-6661

LAST UPDATE DATE

2024-11-23T22:30:46.609000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114864	date:	2017-07-08T00:00:00
db:	BID	id:	98950	date:	2017-06-07T00:00:00
db:	JVNDB	id:	JVNDB-2017-004887	date:	2017-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201706-363	date:	2017-07-14T00:00:00
db:	NVD	id:	CVE-2017-6661	date:	2024-11-21T03:30:14.820

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114864	date:	2017-06-13T00:00:00
db:	BID	id:	98950	date:	2017-06-07T00:00:00
db:	JVNDB	id:	JVNDB-2017-004887	date:	2017-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201706-363	date:	2017-06-07T00:00:00
db:	NVD	id:	CVE-2017-6661	date:	2017-06-13T06:29:00.940