← Back

CVE-2022-20867

nvd nist
Published: Nov 4, 2022Modified: Nov 21, 2024

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Exploitability: 1.2 / Impact: 5.2
Source: NVD

Description

A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct SQL injection attacks as root on an affected system. The attacker must have the credentials of a high-privileged user account. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system.

Affected (2)

Products: Cisco: Asyncos
Cisco
1 product
Asyncos
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Asyncos
From 13.0 to 14.2.1
Running on/withPlatform Versions
Cisco
Secure Email Gateway
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Asyncos
From 12.0 to 14.2.0
Running on/withPlatform Versions
Cisco
Secure Email And Web Manager
All versions

Related CWEs

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (2)

Source: psirt@cisco.com
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.