A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.
A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 26
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Cisco Asyncos
cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*
|
— |
15.0.5-016
|
|
Cisco Asyncos
cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*
|
15.5
|
15.5.4-012
|
|
Cisco Asyncos
cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*
|
16.0
|
16.0.4-016
|
|
Cisco Secure_Email_Gateway_Virtual_Appliance_C100v
cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c100v:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_Gateway_Virtual_Appliance_C300v
cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c300v:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_Gateway_Virtual_Appliance_C600v
cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c600v:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_Gateway_C195
cpe:2.3:h:cisco:secure_email_gateway_c195:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_Gateway_C395
cpe:2.3:h:cisco:secure_email_gateway_c395:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_Gateway_C695
cpe:2.3:h:cisco:secure_email_gateway_c695:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Asyncos
cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*
|
— |
15.0.2-007
|
|
Cisco Asyncos
cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*
|
15.5
|
15.5.4-007
|
|
Cisco Asyncos
cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*
|
16.0
|
16.0.4-010
|
|
Cisco Secure_Email_And_Web_Manager_Virtual_Appliance_M100v
cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m100v:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_Virtual_Appliance_M300v
cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m300v:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_Virtual_Appliance_M600v
cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m600v:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M170
cpe:2.3:h:cisco:secure_email_and_web_manager_m170:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M190
cpe:2.3:h:cisco:secure_email_and_web_manager_m190:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M195
cpe:2.3:h:cisco:secure_email_and_web_manager_m195:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M380
cpe:2.3:h:cisco:secure_email_and_web_manager_m380:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M390
cpe:2.3:h:cisco:secure_email_and_web_manager_m390:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M390x
cpe:2.3:h:cisco:secure_email_and_web_manager_m390x:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M395
cpe:2.3:h:cisco:secure_email_and_web_manager_m395:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M680
cpe:2.3:h:cisco:secure_email_and_web_manager_m680:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M690
cpe:2.3:h:cisco:secure_email_and_web_manager_m690:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M690x
cpe:2.3:h:cisco:secure_email_and_web_manager_m690x:-:*:*:*:*:*:*:*
|
— | — |
|
Cisco Secure_Email_And_Web_Manager_M695
cpe:2.3:h:cisco:secure_email_and_web_manager_m695:-:*:*:*:*:*:*:*
|
— | — |