Cisco Content Security Management Appliance and Cisco Email Security Appliance Information Disclosure Vulnerability

cisco-sa-20190904-sma-info-dis · Medium · Published 6 years ago · Updated 5 years ago

Data: Cisco advisories 1 day ago · Cisco CSAF 5 hours ago · NVD CVEs 8 hours ago · NVD CPEs 1 day ago · CISA KEV 1 day ago · EPSS 1 day ago

A vulnerability in the authorization module of Cisco Content Security Management Appliance (SMA) Software and Cisco Email Security Appliance (ESA) could allow an authenticated, remote attacker to gain out-of-scope access to email. The vulnerability exists because the affected software does not correctly implement role permission controls. An attacker could exploit this vulnerability by using a custom role with specific permissions. A successful exploit could allow the attacker to access the spam quarantine of other users. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sma-info-dis

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

CVEs	CVE-2019-12635
Cisco Bug IDs	CSCvs52719 , CSCvp62827
CVSS Score	Base 4.3 Base 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X

Products with public affected evidence

Product	CVE	Affected evidence
Cisco Secure Email	CVE-2019-12635	structured affected CSAF product_status
Cisco Secure Email and Web Manager	CVE-2019-12635	structured affected CSAF product_status