CVE-2018-0140
MEDIUMCisco Email Security Appliance - Unauthorized Spam Quarantine Access via Browser Manipulation
Title source: llmDescription
A vulnerability in the spam quarantine of Cisco Email Security Appliance and Cisco Content Security Management Appliance could allow an authenticated, remote attacker to download any message from the spam quarantine by modifying browser string information. The vulnerability is due to a lack of verification of authenticated user accounts. An attacker could exploit this vulnerability by modifying browser strings to see messages submitted by other users to the spam quarantine within their company. Cisco Bug IDs: CSCvg39759, CSCvg42295.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1040339
Vendor Advisory x_refsource_confirm
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-esacsm
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103090
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1040338
Scores
CVSS v3
6.5
EPSS
0.0160
EPSS Percentile
72.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-425
Status
published
Products (7)
cisco/content_security_management_appliance
10.0.0-096
cisco/content_security_management_appliance
10.1.0-037
cisco/content_security_management_appliance
10.1.0-052
cisco/content_security_management_appliance
11.0.0-115
cisco/email_security_appliance_firmware
9.8.0-112
cisco/email_security_appliance_firmware
10.0.1-087
cisco/email_security_appliance_firmware
11.0.0-274
Published
Feb 08, 2018
Tracked Since
Feb 18, 2026