Details of VAR-202306-1845

ID

VAR-202306-1845

CVE

CVE-2023-20120

TITLE

Cross-site scripting vulnerability in multiple Cisco Systems products

Trust: 0.8

sources: JVNDB: JVNDB-2023-024109

DESCRIPTION

Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Cisco Secure Email Gateway, formerly Cisco Email Security Appliance (ESA); and Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq Attention: Simplifying the Cisco portfolio includes the renaming of security products under one brand: Cisco Secure

Trust: 1.71

sources: NVD: CVE-2023-20120 // JVNDB: JVNDB-2023-024109 // VULMON: CVE-2023-20120

AFFECTED PRODUCTS

vendor:	cisco	model:	secure email gateway	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	15.0.0-050	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.1-033	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.1-053	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email gateway	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	15.0.0-256	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco web セキュリティアプライアンスソフトウェア	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.0-418	Trust: 0.8

sources: JVNDB: JVNDB-2023-024109 // NVD: CVE-2023-20120

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-20120
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2023-20120
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-20120
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202306-2003
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-20120
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2023-20120
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2023-20120
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-024109 // CNNVD: CNNVD-202306-2003 // NVD: CVE-2023-20120 // NVD: CVE-2023-20120

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-024109 // NVD: CVE-2023-20120

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202306-2003

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202306-2003

PATCH

title:	cisco-sa-esa-sma-wsa-xss-cP9DuEmq	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq	Trust: 0.8
title:	Multiple Cisco product Fixes for cross-site scripting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=244904	Trust: 0.6
title:	Cisco: Cisco Secure Email Gateway, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Cross-Site Scripting Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-esa-sma-wsa-xss-cP9DuEmq	Trust: 0.1

sources: VULMON: CVE-2023-20120 // JVNDB: JVNDB-2023-024109 // CNNVD: CNNVD-202306-2003

EXTERNAL IDS

db:	NVD	id:	CVE-2023-20120	Trust: 3.3
db:	JVNDB	id:	JVNDB-2023-024109	Trust: 0.8
db:	CNNVD	id:	CNNVD-202306-2003	Trust: 0.6
db:	VULMON	id:	CVE-2023-20120	Trust: 0.1

sources: VULMON: CVE-2023-20120 // JVNDB: JVNDB-2023-024109 // CNNVD: CNNVD-202306-2003 // NVD: CVE-2023-20120

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-esa-sma-wsa-xss-cp9duemq	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2023-20120	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-20120/	Trust: 0.6

sources: VULMON: CVE-2023-20120 // JVNDB: JVNDB-2023-024109 // CNNVD: CNNVD-202306-2003 // NVD: CVE-2023-20120

SOURCES

db:	VULMON	id:	CVE-2023-20120
db:	JVNDB	id:	JVNDB-2023-024109
db:	CNNVD	id:	CNNVD-202306-2003
db:	NVD	id:	CVE-2023-20120

LAST UPDATE DATE

2024-08-14T14:23:58.289000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2023-024109	date:	2024-01-30T06:38:00
db:	CNNVD	id:	CNNVD-202306-2003	date:	2023-07-10T00:00:00
db:	NVD	id:	CVE-2023-20120	date:	2023-11-07T04:06:06.050

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2023-024109	date:	2024-01-30T00:00:00
db:	CNNVD	id:	CNNVD-202306-2003	date:	2023-06-28T00:00:00
db:	NVD	id:	CVE-2023-20120	date:	2023-06-28T15:15:09.760