CVE-2021-34741 – Cisco Email Security Appliance Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2021-34741
A vulnerability in the email scanning algorithm of Cisco AsyncOS software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to perform a denial of service (DoS) attack against an affected device. This vulnerability is due to insufficient input validation of incoming emails. An attacker could exploit this vulnerability by sending a crafted email through Cisco ESA. A successful exploit could allow the attacker to exhaust all the available CPU resources on an affected device for an extended period of time, preventing other emails from being processed and resulting in a DoS condition. Una vulnerabilidad en el algoritmo de análisis del correo electrónico del software Cisco AsyncOS para Cisco Email Security Appliance (ESA) podría permitir a un atacante remoto no autenticado llevar a cabo un ataque de denegación de servicio (DoS) contra un dispositivo afectado. • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-JOm9ETfO • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2018-0140
https://notcve.org/view.php?id=CVE-2018-0140
A vulnerability in the spam quarantine of Cisco Email Security Appliance and Cisco Content Security Management Appliance could allow an authenticated, remote attacker to download any message from the spam quarantine by modifying browser string information. The vulnerability is due to a lack of verification of authenticated user accounts. An attacker could exploit this vulnerability by modifying browser strings to see messages submitted by other users to the spam quarantine within their company. Cisco Bug IDs: CSCvg39759, CSCvg42295. Una vulnerabilidad en la cuarentena de spam de Cisco Email Security Appliance y Cisco Content Security Management Appliance podría permitir que un atacante remoto autenticado descargue cualquier mensaje de la cuarentena de spam modificando la información de las cadenas del navegador. • http://www.securityfocus.com/bid/103090 http://www.securitytracker.com/id/1040338 http://www.securitytracker.com/id/1040339 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-esacsm • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-425: Direct Request ('Forced Browsing') •