Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-20392

A vulnerability in the web-based management API of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. This vulnerability is due to insufficient input validation of some parameters that are passed to the web-based management API of the affected system. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to perform cross-site scripting (XSS) attacks, resulting in the execution of arbitrary script code in the browser of the targeted user, or could allow the attacker to access sensitive, browser-based information.

Published

2024-05-15T18:15:10.390

Last Modified

2025-08-06T16:48:40.873

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Secondary
CWE-113

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	asyncos	11.0.3-238	Yes
Operating System	cisco	asyncos	11.1.0-069	Yes
Operating System	cisco	asyncos	11.1.0-128	Yes
Operating System	cisco	asyncos	12.0.0-419	Yes
Operating System	cisco	asyncos	12.1.0-071	Yes
Operating System	cisco	asyncos	12.1.0-087	Yes
Operating System	cisco	asyncos	12.1.0-089	Yes
Operating System	cisco	asyncos	12.5.0-066	Yes
Operating System	cisco	asyncos	12.5.3-041	Yes
Operating System	cisco	asyncos	12.5.4-041	Yes
Operating System	cisco	asyncos	13.0.0-392	Yes
Operating System	cisco	asyncos	13.0.5-007	Yes
Operating System	cisco	asyncos	13.5.1-277	Yes
Operating System	cisco	asyncos	13.5.4-038	Yes
Operating System	cisco	asyncos	14.0.0-698	Yes
Operating System	cisco	asyncos	14.2.0-620	Yes
Operating System	cisco	asyncos	14.2.1-020	Yes
Operating System	cisco	asyncos	14.3.0-032	Yes
Operating System	cisco	asyncos	15.0.0-104	Yes
Operating System	cisco	asyncos	15.0.1-030	Yes
Operating System	cisco	asyncos	15.5.0-048	Yes
Application	cisco	secure_email_gateway_virtual_appliance_c100v	-	No
Application	cisco	secure_email_gateway_virtual_appliance_c300v	-	No
Application	cisco	secure_email_gateway_virtual_appliance_c600v	-	No
Hardware	cisco	secure_email_gateway_c195	-	No
Hardware	cisco	secure_email_gateway_c395	-	No
Hardware	cisco	secure_email_gateway_c695	-	No

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-http-split-GLrnnOwS Vendor Advisory ([email protected])
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-http-split-GLrnnOwS Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)