Sign-up

ID

VAR-201711-0319


CVE

CVE-2017-12320


TITLE

Cisco Registered Envelope Service Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-010145

DESCRIPTION

Multiple vulnerabilities in the web interface of the Cisco Registered Envelope Service (a cloud-based service) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack or redirect a user of the affected service to an undesired web page. The vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit these vulnerabilities by persuading a user to click a malicious link or by sending an HTTP request that could cause the affected service to redirect the request to a specified malicious URL. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface of the affected system or allow the attacker to access sensitive browser-based information on the affected system. These types of exploits could also be used in phishing attacks that send users to malicious websites without their knowledge. Cisco Bug IDs: CSCve77195, CSCve90978, CSCvf42310, CSCvf42703, CSCvf42723, CSCvf46169, CSCvf49999. Vendors have confirmed this vulnerability Bug ID CSCve77195 , CSCve90978 , CSCvf42310 , CSCvf42703 , CSCvf42723 , CSCvf46169 ,and CSCvf49999 It is released as.Information may be obtained and information may be altered. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The product includes read receipts for mail, mail recycling, mail forwarding and replying, and smartphone support

Trust: 1.98

sources: NVD: CVE-2017-12320 // JVNDB: JVNDB-2017-010145 // BID: 101863 // VULHUB: VHN-102831

AFFECTED PRODUCTS

vendor:ciscomodel:registered envelope servicescope:eqversion: -

Trust: 1.6

vendor:ciscomodel:registered envelope servicescope: - version: -

Trust: 0.8

vendor:ciscomodel:registered envelope servicescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:email encryptionscope:eqversion:5.3

Trust: 0.3

vendor:ciscomodel:email encryptionscope:eqversion:5.3.0-038

Trust: 0.3

sources: BID: 101863 // JVNDB: JVNDB-2017-010145 // CNNVD: CNNVD-201711-664 // NVD: CVE-2017-12320

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12320
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-12320
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201711-664
value: MEDIUM

Trust: 0.6

VULHUB: VHN-102831
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-12320
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-102831
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12320
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-102831 // JVNDB: JVNDB-2017-010145 // CNNVD: CNNVD-201711-664 // NVD: CVE-2017-12320

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-102831 // JVNDB: JVNDB-2017-010145 // NVD: CVE-2017-12320

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-664

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201711-664

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-010145

PATCH
title:cisco-sa-20171115-resurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-res
Trust: 0.8
title:Cisco Registered Envelope Service Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76492
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-010145 // 
            
            
            
            CNNVD: CNNVD-201711-664

EXTERNAL IDS
db:NVDid:CVE-2017-12320
Trust: 2.8
db:BIDid:101863
Trust: 2.0
db:JVNDBid:JVNDB-2017-010145
Trust: 0.8
db:CNNVDid:CNNVD-201711-664
Trust: 0.6
db:VULHUBid:VHN-102831
Trust: 0.1
sources:
            
            
            VULHUB: VHN-102831 // 
            
            
            
            BID: 101863 // 
            
            
            
            JVNDB: JVNDB-2017-010145 // 
            
            
            
            CNNVD: CNNVD-201711-664 // 
            
            
            
            NVD: CVE-2017-12320

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171115-res
Trust: 2.0
url:http://www.securityfocus.com/bid/101863
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12320
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12320
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-102831 // 
            
            
            
            BID: 101863 // 
            
            
            
            JVNDB: JVNDB-2017-010145 // 
            
            
            
            CNNVD: CNNVD-201711-664 // 
            
            
            
            NVD: CVE-2017-12320

CREDITS
userburden and Rahul Raj.
Trust: 0.3
sources:
            
            
            BID: 101863

SOURCES
db:VULHUBid:VHN-102831
db:BIDid:101863
db:JVNDBid:JVNDB-2017-010145
db:CNNVDid:CNNVD-201711-664
db:NVDid:CVE-2017-12320

LAST UPDATE DATE
2025-04-20T23:12:45.707000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-102831date:2019-10-09T00:00:00
db:BIDid:101863date:2017-12-19T22:00:00
db:JVNDBid:JVNDB-2017-010145date:2017-12-06T00:00:00
db:CNNVDid:CNNVD-201711-664date:2019-10-17T00:00:00
db:NVDid:CVE-2017-12320date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-102831date:2017-11-16T00:00:00
db:BIDid:101863date:2017-11-15T00:00:00
db:JVNDBid:JVNDB-2017-010145date:2017-12-06T00:00:00
db:CNNVDid:CNNVD-201711-664date:2017-11-20T00:00:00
db:NVDid:CVE-2017-12320date:2017-11-16T07:29:00.837