CVE-2022-20772

MEDIUM

Cisco ESA/Secure Email and Web Manager - HTTP Response Splitting

Title source: llm

Description

A vulnerability in Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. This vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses.

References (1)

[Various Sources] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ESA-HTTP-Inject-nvsycUmR

Scores

CVSS v3 4.7

EPSS 0.0040

EPSS Percentile 60.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-113 CWE-74

Status published

Products (2)

cisco/email_security_appliance_firmware 13.5.1 - 14.0.3-015

cisco/secure_email_and_web_manager_firmware 14.2 - 14.2.0-217

Published Nov 04, 2022

Tracked Since Feb 18, 2026