CVE-2017-12309

MEDIUM

Cisco Email Security Appliance - XSS

Title source: llm

Description

A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response splitting attack. The vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses. An exploit could allow the attacker to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits. Cisco Bug IDs: CSCvf16705.

References (3)

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039831

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101928

[Vendor Advisory] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-esa

Scores

CVSS v3 5.3

EPSS 0.0098

EPSS Percentile 76.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-113

Status published

Products (3)

cisco/email_security_appliance_firmware 10.0.2-020

cisco/email_security_appliance_firmware 11.0.0-105

n/a/Cisco Email Security Appliance Cisco Email Security Appliance

Published Nov 16, 2017

Tracked Since Feb 18, 2026