CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2015-0624 – Cisco Ironport AsyncOS HTTP Header Injection
https://notcve.org/view.php?id=CVE-2015-0624
21 Feb 2015 — The web framework in Cisco AsyncOS on Email Security Appliance (ESA), Content Security Management Appliance (SMA), and Web Security Appliance (WSA) devices allows remote attackers to trigger redirects via a crafted HTTP header, aka Bug IDs CSCur44412, CSCur44415, CSCur89630, CSCur89636, CSCur89633, and CSCur89639. El Framework web en los dispositivos Cisco AsyncOS on Email Security Appliance (ESA), Content Security Management Appliance (SMA), y Web Security Appliance (WSA) permite a atacantes remotos provoc... • https://packetstorm.news/files/id/130525 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-0628
https://notcve.org/view.php?id=CVE-2015-0628
20 Feb 2015 — The proxy engine on Cisco Web Security Appliance (WSA) devices allows remote attackers to bypass intended proxying restrictions via a malformed HTTP method, aka Bug ID CSCus79174. El motor de redirección en los dispositivos Cisco Web Security Appliance (WSA) permite a atacantes remotos evadir las restricciones de redirección a través de un método HTTP malformado, también conocido como Bug ID CSCus79174. • http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0628 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-0623
https://notcve.org/view.php?id=CVE-2015-0623
19 Feb 2015 — Cross-site scripting (XSS) vulnerability in the Administrator report page on Cisco Web Security Appliance (WSA) devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCus40627. Vulnerabilidad de XSS en la página de informes de administradores en los dispositivos Cisco Web Security Appliance (WSA) permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores no especificados, también conocido como Bug ID CSCus4062... • http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0623 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2014-3289
https://notcve.org/view.php?id=CVE-2014-3289
10 Jun 2014 — Cross-site scripting (XSS) vulnerability in the web management interface in Cisco AsyncOS on the Email Security Appliance (ESA) 8.0, Web Security Appliance (WSA) 8.0 (.5 Hot Patch 1) and earlier, and Content Security Management Appliance (SMA) 8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, as demonstrated by the date_range parameter to monitor/reports/overview on the IronPort ESA, aka Bug IDs CSCun07998, CSCun07844, and CSCun07888. Vulnerabilidad de X... • http://packetstormsecurity.com/files/127004/Cisco-Ironport-Email-Security-Virtual-Appliance-8.0.0-671-XSS.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 0CVE-2014-2137
https://notcve.org/view.php?id=CVE-2014-2137
02 Apr 2014 — CRLF injection vulnerability in the web framework in Cisco Web Security Appliance (WSA) 7.7 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct redirection attacks via a crafted URL, aka Bug ID CSCuj61002. Vulnerabilidad de inyección CRLF en el framework web en Cisco Web Security Appliance (WSA) 7.7 y anteriores permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y realizar ataques de redirección a través de una URL manipulada, también conocido como Bug ID CSCuj61002... • http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2137 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2013-5537
https://notcve.org/view.php?id=CVE-2013-5537
24 Oct 2013 — The web framework on Cisco Web Security Appliance (WSA), Email Security Appliance (ESA), and Content Security Management Appliance (SMA) devices does not properly manage the state of HTTP and HTTPS sessions, which allows remote attackers to cause a denial of service (management GUI outage) via multiple TCP connections, aka Bug IDs CSCuj59411, CSCuf89818, and CSCuh05635. El framework web en dispositivos Cisco Web Security Appliance (WSA), Email Security Appliance (ESA), y Content Security Management Applianc... • http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5537 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2013-3395 – Cisco Ironport Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-3395
02 Jul 2013 — Cross-site request forgery (CSRF) vulnerability in the web framework on Cisco IronPort Web Security Appliance (WSA) devices, Email Security Appliance (ESA) devices, and Content Security Management Appliance (SMA) devices allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCuh70263, CSCuh70323, and CSCuh26634. Vulnerabilidad CSRG en el framework web en los dispositivos Cisco IronPort Web Security Appliance (WSA), Email Security Appliance (ESA) y Content Security Management ... • https://packetstorm.news/files/id/122955 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2013-3383
https://notcve.org/view.php?id=CVE-2013-3383
27 Jun 2013 — The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL sent over IPv4, aka Bug ID CSCzv69294. El framework web de IronPort AsyncOS en dispositivos Cisco Web Security Appliance antes v7.1.3-013, v7.5 antes de v7.5.0-838, y v7.7 antes de v7.7.0-550 permite a los usuarios autenticados remotamente ejecutar código arbitrari... • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 11EXPL: 0CVE-2013-3384
https://notcve.org/view.php?id=CVE-2013-3384
27 Jun 2013 — The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550; Email Security Appliance devices before 7.1.5-104, 7.3 before 7.3.2-026, 7.5 before 7.5.2-203, and 7.6 before 7.6.3-019; and Content Security Management Appliance devices before 7.2.2-110, 7.7 before 7.7.0-213, and 7.8 and 7.9 before 7.9.1-102 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL, aka Bug IDs CSCzv85... • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-esa • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2013-3385
https://notcve.org/view.php?id=CVE-2013-3385
27 Jun 2013 — The management GUI in the web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-602; Email Security Appliance devices before 7.1.5-106 and 7.3, 7.5, and 7.6 before 7.6.3-019; and Content Security Management Appliance devices before 7.9.1-102 and 8.0 before 8.0.0-404 allows remote attackers to cause a denial of service (system hang) via a series of (1) HTTP or (2) HTTPS requests to a management interface, aka Bug IDs CSCzv58669,... • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-esa • CWE-399: Resource Management Errors •