CVE-2020-3547

Description

A vulnerability in the web-based management interface of Cisco AsyncOS software for Cisco Email Security Appliance (ESA), Cisco Content Security Management Appliance (SMA), and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability exists because an insecure method is used to mask certain passwords on the web-based management interface. An attacker could exploit this vulnerability by looking at the raw HTML code that is received from the interface. A successful exploit could allow the attacker to obtain some of the passwords configured throughout the interface.

Risk Information

Base Score

6.5

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

Exploitation Probability

0.172

Associated Vulnerability

Vulnerability	OS Platform
Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability For Cisco IronPort Security Management Appliance Software	NCM
Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability For Cisco IronPort Web Security Appliance Software	NCM
Insufficiently Protected Credentials Vulnerability (CVE-2020-3547)	NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE

Patch ID	Patch Description
PATCH-1706033	Security Update for Cisco IronPort Security Management Appliance Software 11.0.1-152
PATCH-1706023	Security Update for Cisco IronPort Web Security Appliance Software 9.1.2-010

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234