CVE-2024-20392

Summary

A vulnerability in the web-based management API of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. This vulnerability is due to insufficient input validation of some parameters that are passed to the web-based management API of the affected system. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to perform cross-site scripting (XSS) attacks, resulting in the execution of arbitrary script code in the browser of the targeted user, or could allow the attacker to access sensitive, browser-based information.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Email11.0.3-238affected
CiscoCisco Secure Email11.1.0-069affected
CiscoCisco Secure Email11.1.0-128affected
CiscoCisco Secure Email12.0.0-419affected
CiscoCisco Secure Email12.1.0-071affected
CiscoCisco Secure Email12.1.0-087affected
CiscoCisco Secure Email12.1.0-089affected
CiscoCisco Secure Email13.0.0-392affected
CiscoCisco Secure Email13.0.5-007affected
CiscoCisco Secure Email13.5.1-277affected
CiscoCisco Secure Email13.5.4-038affected
CiscoCisco Secure Email12.5.0-066affected
CiscoCisco Secure Email12.5.4-041affected
CiscoCisco Secure Email12.5.3-041affected
CiscoCisco Secure Email14.0.0-698affected
CiscoCisco Secure Email14.2.0-620affected
CiscoCisco Secure Email14.2.1-020affected
CiscoCisco Secure Email14.3.0-032affected
CiscoCisco Secure Email15.0.0-104affected
CiscoCisco Secure Email15.0.1-030affected
CiscoCisco Secure Email15.5.0-048affected

Weaknesses

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References