CVE-2024-20383

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-20383
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

4.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-bgG5WHOD Vendor Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-bgG5WHOD Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*
OR cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m100v:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m300v:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m600v:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m170:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m190:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m195:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m380:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m390:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m390x:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m395:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m680:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m690:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m690x:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m695:-:*:*:*:*:*:*:*
History

08 Aug 2025, 13:15

Type Values Removed Values Added
Summary (en) A vulnerability in the Cisco Crosswork NSO CLI and the ConfD CLI could allow an authenticated, low-privileged, local attacker to elevate privileges to root on the underlying operating system. The vulnerability is due to an incorrect privilege assignment when specific CLI commands are used. An attacker could exploit this vulnerability by executing an affected CLI command. A successful exploit could allow the attacker to elevate privileges to root on the underlying operating system. (en) A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

01 Aug 2025, 10:44

Type Values Removed Values Added
CPE cpe:2.3:h:cisco:secure_email_and_web_manager_m390:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m690:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m690x:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m380:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m695:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m170:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m680:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m195:-:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m100v:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m395:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m190:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m300v:-:*:*:*:*:*:*:*
cpe:2.3:h:cisco:secure_email_and_web_manager_m390x:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m600v:-:*:*:*:*:*:*:*
References () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-bgG5WHOD - () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-bgG5WHOD - Vendor Advisory
First Time Cisco secure Email And Web Manager Virtual Appliance M100v
Cisco secure Email And Web Manager M170
Cisco secure Email And Web Manager M690x
Cisco
Cisco secure Email And Web Manager M190
Cisco secure Email And Web Manager M680
Cisco asyncos
Cisco secure Email And Web Manager M390
Cisco secure Email And Web Manager M695
Cisco secure Email And Web Manager Virtual Appliance M300v
Cisco secure Email And Web Manager M390x
Cisco secure Email And Web Manager Virtual Appliance M600v
Cisco secure Email And Web Manager M395
Cisco secure Email And Web Manager M380
Cisco secure Email And Web Manager M195
Cisco secure Email And Web Manager M690

21 Nov 2024, 08:52

Type Values Removed Values Added
References () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-bgG5WHOD - () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-bgG5WHOD -

15 May 2024, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-15 18:15

Updated : 2025-08-08 13:15

NVD link : CVE-2024-20383

Mitre link : CVE-2024-20383

CVE.ORG link : CVE-2024-20383

JSON object : View

Products Affected

cisco

  • secure_email_and_web_manager_m390
  • secure_email_and_web_manager_virtual_appliance_m300v
  • secure_email_and_web_manager_m695
  • secure_email_and_web_manager_m195
  • asyncos
  • secure_email_and_web_manager_m390x
  • secure_email_and_web_manager_m395
  • secure_email_and_web_manager_m690
  • secure_email_and_web_manager_m690x
  • secure_email_and_web_manager_m680
  • secure_email_and_web_manager_virtual_appliance_m600v
  • secure_email_and_web_manager_m190
  • secure_email_and_web_manager_m380
  • secure_email_and_web_manager_virtual_appliance_m100v
  • secure_email_and_web_manager_m170
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')