Details of VAR-202009-1112

ID

VAR-202009-1112

CVE

CVE-2020-3137

TITLE

Cisco Email Security Appliance Cross-site Scripting Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-011574

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because the web-based management interface of the affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information. AsyncOS Software is a set of operating systems running on it. The vulnerability stems from the lack of proper validation of client data by web applications. An attacker could use this vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2020-3137 // JVNDB: JVNDB-2020-011574 // CNVD: CNVD-2020-07219 // VULHUB: VHN-181262

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-07219

AFFECTED PRODUCTS

vendor:	cisco	model:	email security appliance	scope:	lte	version:	13.0.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco e メールセキュリティアプライアンス	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco e メールセキュリティアプライアンス	scope:	eq	version:	cisco e email security appliance	Trust: 0.8
vendor:	cisco	model:	email security appliance	scope:	lte	version:	<=13.0	Trust: 0.6

sources: CNVD: CNVD-2020-07219 // JVNDB: JVNDB-2020-011574 // NVD: CVE-2020-3137

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3137
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3137
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-3137
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-07219
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202001-1390
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-181262
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3137
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-07219
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-181262
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2020-3137
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2020-3137
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2020-07219 // VULHUB: VHN-181262 // JVNDB: JVNDB-2020-011574 // CNNVD: CNNVD-202001-1390 // NVD: CVE-2020-3137 // NVD: CVE-2020-3137

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181262 // JVNDB: JVNDB-2020-011574 // NVD: CVE-2020-3137

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-1390

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202001-1390

PATCH

title:	cisco-sa-email-sec-xss-EbjXuXwP	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-email-sec-xss-EbjXuXwP	Trust: 0.8
title:	Patch for Cisco Email Security Appliance Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/200609	Trust: 0.6
title:	Cisco Email Security Appliance AsyncOS Software Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=107733	Trust: 0.6

sources: CNVD: CNVD-2020-07219 // JVNDB: JVNDB-2020-011574 // CNNVD: CNNVD-202001-1390

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3137	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-011574	Trust: 0.8
db:	CNVD	id:	CNVD-2020-07219	Trust: 0.7
db:	CNNVD	id:	CNNVD-202001-1390	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.0235	Trust: 0.6
db:	VULHUB	id:	VHN-181262	Trust: 0.1

sources: CNVD: CNVD-2020-07219 // VULHUB: VHN-181262 // JVNDB: JVNDB-2020-011574 // CNNVD: CNNVD-202001-1390 // NVD: CVE-2020-3137

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-email-sec-xss-ebjxuxwp	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3137	Trust: 2.0
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-esa-dos-87mbkc8n	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-esa-bypass-5cdv2hma	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-esa-cross-site-scripting-via-web-based-management-interface-31409	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.0235/	Trust: 0.6

sources: CNVD: CNVD-2020-07219 // VULHUB: VHN-181262 // JVNDB: JVNDB-2020-011574 // CNNVD: CNNVD-202001-1390 // NVD: CVE-2020-3137

SOURCES

db:	CNVD	id:	CNVD-2020-07219
db:	VULHUB	id:	VHN-181262
db:	JVNDB	id:	JVNDB-2020-011574
db:	CNNVD	id:	CNNVD-202001-1390
db:	NVD	id:	CVE-2020-3137

LAST UPDATE DATE

2024-11-23T21:35:18.970000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-07219	date:	2020-02-14T00:00:00
db:	VULHUB	id:	VHN-181262	date:	2020-09-29T00:00:00
db:	JVNDB	id:	JVNDB-2020-011574	date:	2021-04-06T09:06:00
db:	CNNVD	id:	CNNVD-202001-1390	date:	2020-09-30T00:00:00
db:	NVD	id:	CVE-2020-3137	date:	2024-11-21T05:30:24.120

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-07219	date:	2020-02-14T00:00:00
db:	VULHUB	id:	VHN-181262	date:	2020-09-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-011574	date:	2021-04-06T00:00:00
db:	CNNVD	id:	CNNVD-202001-1390	date:	2020-01-22T00:00:00
db:	NVD	id:	CVE-2020-3137	date:	2020-09-23T01:15:15.333