Sign-up

ID

VAR-202205-1554


CVE

CVE-2022-20802


TITLE

Cisco Enterprise Chat and Email  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-011223

DESCRIPTION

A vulnerability in the web interface of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input that is processed by the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected system. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials. This product mainly provides e-mail, chat and Web callback functions for other Cisco solutions. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-strd-xss-BqFXO9D2

Trust: 1.8

sources: NVD: CVE-2022-20802 // JVNDB: JVNDB-2022-011223 // VULHUB: VHN-405355 // VULMON: CVE-2022-20802

AFFECTED PRODUCTS

vendor:ciscomodel:enterprise chat and emailscope:ltversion:12.6\(1\)es2

Trust: 1.0

vendor:シスコシステムズmodel:enterprise chat and emailscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:enterprise chat and emailscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-011223 // NVD: CVE-2022-20802

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20802
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20802
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20802
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202205-3737
value: MEDIUM

Trust: 0.6

VULHUB: VHN-405355
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2022-20802
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-405355
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-20802
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 2.0

NVD: CVE-2022-20802
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-405355 // JVNDB: JVNDB-2022-011223 // CNNVD: CNNVD-202205-3737 // NVD: CVE-2022-20802 // NVD: CVE-2022-20802

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405355 // JVNDB: JVNDB-2022-011223 // NVD: CVE-2022-20802

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-3737

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202205-3737

PATCH

title:cisco-sa-ece-strd-xss-BqFXO9D2url:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-strd-xss-BqFXO9D2

Trust: 0.8

title:Cisco Enterprise Chat and Email Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=193397

Trust: 0.6

title:Cisco: Cisco Enterprise Chat and Email Stored Cross-Site Scripting Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ece-strd-xss-BqFXO9D2

Trust: 0.1

sources: VULMON: CVE-2022-20802 // JVNDB: JVNDB-2022-011223 // CNNVD: CNNVD-202205-3737

EXTERNAL IDS

db:NVDid:CVE-2022-20802

Trust: 3.4

db:JVNDBid:JVNDB-2022-011223

Trust: 0.8

db:CNNVDid:CNNVD-202205-3737

Trust: 0.7

db:CS-HELPid:SB2022051904

Trust: 0.6

db:CNVDid:CNVD-2022-50667

Trust: 0.1

db:VULHUBid:VHN-405355

Trust: 0.1

db:VULMONid:CVE-2022-20802

Trust: 0.1

sources: VULHUB: VHN-405355 // VULMON: CVE-2022-20802 // JVNDB: JVNDB-2022-011223 // CNNVD: CNNVD-202205-3737 // NVD: CVE-2022-20802

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ece-strd-xss-bqfxo9d2

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-20802

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-20802/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022051904

Trust: 0.6

sources: VULHUB: VHN-405355 // VULMON: CVE-2022-20802 // JVNDB: JVNDB-2022-011223 // CNNVD: CNNVD-202205-3737 // NVD: CVE-2022-20802

SOURCES

db:VULHUBid:VHN-405355
db:VULMONid:CVE-2022-20802
db:JVNDBid:JVNDB-2022-011223
db:CNNVDid:CNNVD-202205-3737
db:NVDid:CVE-2022-20802

LAST UPDATE DATE

2024-08-14T15:11:27.494000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405355date:2022-06-09T00:00:00
db:JVNDBid:JVNDB-2022-011223date:2023-08-21T05:36:00
db:CNNVDid:CNNVD-202205-3737date:2022-06-10T00:00:00
db:NVDid:CVE-2022-20802date:2023-11-07T03:42:59.647

SOURCES RELEASE DATE

db:VULHUBid:VHN-405355date:2022-05-27T00:00:00
db:JVNDBid:JVNDB-2022-011223date:2023-08-21T00:00:00
db:CNNVDid:CNNVD-202205-3737date:2022-05-18T00:00:00
db:NVDid:CVE-2022-20802date:2022-05-27T14:15:08.730