CVE-2022-20867

Summary

A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct SQL injection attacks as root on an affected system. The attacker must have the credentials of a high-privileged user account. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Email13.0.0-392affected
CiscoCisco Secure Email13.5.1-277affected
CiscoCisco Secure Email12.5.0-066affected
CiscoCisco Secure Email14.0.0-698affected
CiscoCisco Secure Email14.2.0-620affected
CiscoCisco Secure Email and Web Manager12.0.1-011affected
CiscoCisco Secure Email and Web Manager12.5.0-636affected
CiscoCisco Secure Email and Web Manager12.5.0-658affected
CiscoCisco Secure Email and Web Manager12.5.0-678affected
CiscoCisco Secure Email and Web Manager12.5.0-670affected
CiscoCisco Secure Email and Web Manager13.0.0-277affected
CiscoCisco Secure Email and Web Manager13.6.2-078affected
CiscoCisco Secure Email and Web Manager13.8.1-068affected
CiscoCisco Secure Email and Web Manager13.8.1-074affected
CiscoCisco Secure Email and Web Manager12.8.1-002affected
CiscoCisco Secure Email and Web Manager14.0.0-404affected
CiscoCisco Secure Email and Web Manager14.1.0-223affected
CiscoCisco Secure Email and Web Manager14.1.0-227affected

Weaknesses

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References