CVE-2023-20179

Summary

A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an authenticated, remote attacker to inject HTML content. This vulnerability is due to improper validation of user-supplied data in element fields. An attacker could exploit this vulnerability by submitting malicious content within requests and persuading a user to view a page that contains injected content. A successful exploit could allow the attacker to modify pages within the web-based management interface, possibly leading to further browser-based attacks against users of the application.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco SD-WAN vManage20.3.1affected
CiscoCisco SD-WAN vManage20.3.2affected
CiscoCisco SD-WAN vManage20.3.2.1affected
CiscoCisco SD-WAN vManage20.3.3affected
CiscoCisco SD-WAN vManage20.3.3.1affected
CiscoCisco SD-WAN vManage20.3.4affected
CiscoCisco SD-WAN vManage20.3.4.1affected
CiscoCisco SD-WAN vManage20.3.4.2affected
CiscoCisco SD-WAN vManage20.3.5affected
CiscoCisco SD-WAN vManage20.3.6affected
CiscoCisco SD-WAN vManage20.3.7affected
CiscoCisco SD-WAN vManage20.3.7.1affected
CiscoCisco SD-WAN vManage20.3.4.3affected
CiscoCisco SD-WAN vManage20.3.5.1affected
CiscoCisco SD-WAN vManage20.3.7.2affected
CiscoCisco SD-WAN vManage20.4.1affected
CiscoCisco SD-WAN vManage20.4.1.1affected
CiscoCisco SD-WAN vManage20.4.1.2affected
CiscoCisco SD-WAN vManage20.4.2affected
CiscoCisco SD-WAN vManage20.4.2.2affected
CiscoCisco SD-WAN vManage20.4.2.1affected
CiscoCisco SD-WAN vManage20.4.2.3affected
CiscoCisco SD-WAN vManage20.5.1affected
CiscoCisco SD-WAN vManage20.5.1.2affected
CiscoCisco SD-WAN vManage20.5.1.1affected
CiscoCisco SD-WAN vManage20.6.1affected
CiscoCisco SD-WAN vManage20.6.1.1affected
CiscoCisco SD-WAN vManage20.6.2.1affected
CiscoCisco SD-WAN vManage20.6.2.2affected
CiscoCisco SD-WAN vManage20.6.2affected
CiscoCisco SD-WAN vManage20.6.3affected
CiscoCisco SD-WAN vManage20.6.3.1affected
CiscoCisco SD-WAN vManage20.6.4affected
CiscoCisco SD-WAN vManage20.6.5affected
CiscoCisco SD-WAN vManage20.6.5.1affected
CiscoCisco SD-WAN vManage20.6.1.2affected
CiscoCisco SD-WAN vManage20.6.3.2affected
CiscoCisco SD-WAN vManage20.6.4.1affected
CiscoCisco SD-WAN vManage20.6.5.2affected
CiscoCisco SD-WAN vManage20.6.5.4affected
CiscoCisco SD-WAN vManage20.6.3.3affected
CiscoCisco SD-WAN vManage20.6.4.2affected
CiscoCisco SD-WAN vManage20.6.3.0.45affected
CiscoCisco SD-WAN vManage20.6.3.0.46affected
CiscoCisco SD-WAN vManage20.6.3.0.47affected
CiscoCisco SD-WAN vManage20.6.3.4affected
CiscoCisco SD-WAN vManage20.6.4.0.21affected
CiscoCisco SD-WAN vManage20.6.5.1.10affected
CiscoCisco SD-WAN vManage20.6.5.1.7affected
CiscoCisco SD-WAN vManage20.6.5.1.9affected
CiscoCisco SD-WAN vManage20.6.5.2.4affected
CiscoCisco SD-WAN vManage20.6.5.5affected
CiscoCisco SD-WAN vManage20.7.1affected
CiscoCisco SD-WAN vManage20.7.1.1affected
CiscoCisco SD-WAN vManage20.7.2affected
CiscoCisco SD-WAN vManage20.8.1affected
CiscoCisco SD-WAN vManage20.9.1affected
CiscoCisco SD-WAN vManage20.9.2affected
CiscoCisco SD-WAN vManage20.9.2.1affected
CiscoCisco SD-WAN vManage20.9.3affected
CiscoCisco SD-WAN vManage20.9.3.1affected
CiscoCisco SD-WAN vManage20.9.2.3affected
CiscoCisco SD-WAN vManage20.9.3.0.12affected
CiscoCisco SD-WAN vManage20.9.3.0.16affected
CiscoCisco SD-WAN vManage20.9.3.0.17affected
CiscoCisco SD-WAN vManage20.9.3.0.18affected
CiscoCisco SD-WAN vManage20.9.3.2affected
CiscoCisco SD-WAN vManage20.9.3.2_LI_Imagesaffected
CiscoCisco SD-WAN vManage20.9.4affected
CiscoCisco SD-WAN vManage20.10.1affected
CiscoCisco SD-WAN vManage20.10.1.1affected
CiscoCisco SD-WAN vManage20.10.1.2affected
CiscoCisco SD-WAN vManage20.11.1affected
CiscoCisco SD-WAN vManage20.11.1.1affected
CiscoCisco SD-WAN vManage20.11.1.2affected

Weaknesses

  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References