CVE-2022-20867 — SQL Injection in Cisco Asyncos

CWE-89 — SQL Injection CWE-321 — Use of Hard-coded Cryptographic Key4 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.4

EPSS

0.1%

top 67.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Asyncos Cisco Secure Email Cisco Secure Email AND WEB Manager

Timeline

PublishedNov 4

Description

A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct SQL injection attacks as root on an affected system. The attacker must have the credentials of a high-privileged user account. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious req…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5cisco/cisco_secure_email_and_web_manager13 versions+12

▶CVEListV5cisco/cisco_secure_email5 versions+4

▶NVDcisco/asyncos13.0 — 14.2.1+1

🔴Vulnerability Details

GHSA

GHSA-hmj5-j6m5-7r84: A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authe↗2022-11-04

▶

CVEList

CVE-2022-20867: A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authe↗2022-11-03

▶

📋Vendor Advisories

Cisco

Cisco Email Security Appliance, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Next Generation Management Vulnerabilities↗2022-11-02

▶