Details of VAR-202306-1941

ID

VAR-202306-1941

CVE

CVE-2023-20119

TITLE

Cross-site scripting vulnerability in multiple Cisco Systems products

Trust: 0.8

sources: JVNDB: JVNDB-2023-024108

DESCRIPTION

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager, formerly known as Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq Attention: Simplifying the Cisco portfolio includes the renaming of security products under one brand: Cisco Secure

Trust: 1.71

sources: NVD: CVE-2023-20119 // JVNDB: JVNDB-2023-024108 // VULMON: CVE-2023-20119

AFFECTED PRODUCTS

vendor:	cisco	model:	secure email gateway	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	15.0.0-050	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.1-033	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.1-053	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email gateway	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	15.0.0-256	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco web セキュリティアプライアンスソフトウェア	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.0-418	Trust: 0.8

sources: JVNDB: JVNDB-2023-024108 // NVD: CVE-2023-20119

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-20119
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2023-20119
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-20119
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202306-2001
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-20119
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0
NVD:	CVE-2023-20119
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-024108 // CNNVD: CNNVD-202306-2001 // NVD: CVE-2023-20119 // NVD: CVE-2023-20119

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-024108 // NVD: CVE-2023-20119

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202306-2001

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202306-2001

PATCH

title:	cisco-sa-esa-sma-wsa-xss-cP9DuEmq	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq	Trust: 0.8
title:	Multiple Cisco product Fixes for cross-site scripting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=244902	Trust: 0.6
title:	Cisco: Cisco Secure Email Gateway, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Cross-Site Scripting Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-esa-sma-wsa-xss-cP9DuEmq	Trust: 0.1

sources: VULMON: CVE-2023-20119 // JVNDB: JVNDB-2023-024108 // CNNVD: CNNVD-202306-2001

EXTERNAL IDS

db:	NVD	id:	CVE-2023-20119	Trust: 3.3
db:	JVNDB	id:	JVNDB-2023-024108	Trust: 0.8
db:	CNNVD	id:	CNNVD-202306-2001	Trust: 0.6
db:	VULMON	id:	CVE-2023-20119	Trust: 0.1

sources: VULMON: CVE-2023-20119 // JVNDB: JVNDB-2023-024108 // CNNVD: CNNVD-202306-2001 // NVD: CVE-2023-20119

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-esa-sma-wsa-xss-cp9duemq	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2023-20119	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-20119/	Trust: 0.6

sources: VULMON: CVE-2023-20119 // JVNDB: JVNDB-2023-024108 // CNNVD: CNNVD-202306-2001 // NVD: CVE-2023-20119

SOURCES

db:	VULMON	id:	CVE-2023-20119
db:	JVNDB	id:	JVNDB-2023-024108
db:	CNNVD	id:	CNNVD-202306-2001
db:	NVD	id:	CVE-2023-20119

LAST UPDATE DATE

2024-08-14T15:41:42.230000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2023-024108	date:	2024-01-30T06:38:00
db:	CNNVD	id:	CNNVD-202306-2001	date:	2023-07-13T00:00:00
db:	NVD	id:	CVE-2023-20119	date:	2024-01-25T17:15:31.220

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2023-024108	date:	2024-01-30T00:00:00
db:	CNNVD	id:	CNNVD-202306-2001	date:	2023-06-28T00:00:00
db:	NVD	id:	CVE-2023-20119	date:	2023-06-28T15:15:09.700