Cisco Registered Envelope Service is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
These issues are being tracked by Cisco Bug IDs CSCve77195, CSCve90978, CSCvf42310, CSCvf42703, CSCvf42723, CSCvf46169, CSCvf49999.
Information
Bugtraq ID: 101863Class: Input Validation Error
CVE: CVE-2017-12290
CVE-2017-12291
CVE-2017-12292
CVE-2017-12320
CVE-2017-12321
CVE-2017-12322
CVE-2017-12323
Remote: Yes
Local: No
Published: Nov 15 2017 12:00AM
Updated: Nov 22 2017 02:08AM
Credit: userburden and Rahul Raj.
Vulnerable: Cisco Registered Envelope Service 0
Cisco Email Encryption 5.3
Cisco Email Encryption 5.3.0-038
Not Vulnerable:
Exploit
To exploit these issues an attacker must entice an unsuspecting victim to open a malicious URI.
References: