Details of VAR-202306-2182

ID

VAR-202306-2182

CVE

CVE-2023-20028

TITLE

Cross-site scripting vulnerability in multiple Cisco Systems products

Trust: 0.8

sources: JVNDB: JVNDB-2023-024105

DESCRIPTION

Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Cisco Secure Email Gateway, formerly Cisco Email Security Appliance (ESA); and Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq Attention: Simplifying the Cisco portfolio includes the renaming of security products under one brand: Cisco Secure

Trust: 1.71

sources: NVD: CVE-2023-20028 // JVNDB: JVNDB-2023-024105 // VULMON: CVE-2023-20028

AFFECTED PRODUCTS

vendor:	cisco	model:	secure email gateway	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.1-033	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.1-053	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	cisco	model:	secure email gateway	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	web security appliance	scope:	eq	version:	15.0.0-256	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	15.0.0-050	Trust: 1.0
vendor:	cisco	model:	secure email and web manager	scope:	eq	version:	14.0.0-418	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	15.0.0-050	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.1-033	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.1-053	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email gateway	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	15.0.0-256	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco web セキュリティアプライアンスソフトウェア	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco secure email and web manager	scope:	eq	version:	14.0.0-418	Trust: 0.8

sources: JVNDB: JVNDB-2023-024105 // NVD: CVE-2023-20028

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-20028
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2023-20028
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2023-20028
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202306-2002
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-20028
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 2.0
NVD:	CVE-2023-20028
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-024105 // CNNVD: CNNVD-202306-2002 // NVD: CVE-2023-20028 // NVD: CVE-2023-20028

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-024105 // NVD: CVE-2023-20028

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202306-2002

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202306-2002

PATCH

title:	cisco-sa-esa-sma-wsa-xss-cP9DuEmq	url:	https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq	Trust: 0.8
title:	Multiple Cisco product Fixes for cross-site scripting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=244903	Trust: 0.6
title:	Cisco: Cisco Secure Email Gateway, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Cross-Site Scripting Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-esa-sma-wsa-xss-cP9DuEmq	Trust: 0.1

sources: VULMON: CVE-2023-20028 // JVNDB: JVNDB-2023-024105 // CNNVD: CNNVD-202306-2002

EXTERNAL IDS

db:	NVD	id:	CVE-2023-20028	Trust: 3.3
db:	JVNDB	id:	JVNDB-2023-024105	Trust: 0.8
db:	CNNVD	id:	CNNVD-202306-2002	Trust: 0.6
db:	VULMON	id:	CVE-2023-20028	Trust: 0.1

sources: VULMON: CVE-2023-20028 // JVNDB: JVNDB-2023-024105 // CNNVD: CNNVD-202306-2002 // NVD: CVE-2023-20028

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-esa-sma-wsa-xss-cp9duemq	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2023-20028	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-20028/	Trust: 0.6

sources: VULMON: CVE-2023-20028 // JVNDB: JVNDB-2023-024105 // CNNVD: CNNVD-202306-2002 // NVD: CVE-2023-20028

SOURCES

db:	VULMON	id:	CVE-2023-20028
db:	JVNDB	id:	JVNDB-2023-024105
db:	CNNVD	id:	CNNVD-202306-2002
db:	NVD	id:	CVE-2023-20028

LAST UPDATE DATE

2024-08-14T14:17:08.162000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2023-024105	date:	2024-01-30T06:37:00
db:	CNNVD	id:	CNNVD-202306-2002	date:	2023-07-10T00:00:00
db:	NVD	id:	CVE-2023-20028	date:	2023-11-07T04:05:48.153

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2023-024105	date:	2024-01-30T00:00:00
db:	CNNVD	id:	CNNVD-202306-2002	date:	2023-06-28T00:00:00
db:	NVD	id:	CVE-2023-20028	date:	2023-06-28T15:15:09.457