In less than 10 days, India’s Computer Emergency Response Team (CERT-In), which falls under the Ministry of IT, issued another advisory on Wednesday regarding serious vulnerabilities in the networking of major products. Cisco that could help hackers access, infiltrate computer systems and steal data.
Multiple vulnerabilities have been reported in Cisco Secure Email and Web Manager, Cisco Email Security Appliance (ESA), and Cisco Enterprise Chat and Email (ECE) that could allow the attacker to execute arbitrary code, conduct a script attack cross-site (XSS) and retrieve sensitive information about the targeted system, CERT-In said in its advisory.
The “information disclosure vulnerability” exists in the web management interface of Cisco Secure Email and Web Manager, “due to a lack of input sanitization when querying the external authentication server”.
“An attacker could exploit this vulnerability by sending a specially crafted request through an external authentication webpage. Successful exploitation of this vulnerability could allow the attacker to gain access to sensitive information, including credentials of the user from the external authentication server,” the advisory read.
The “Cross-Site Scripting Vulnerability” exists in the Cisco Enterprise Chat and Email (ECE) web interface “due to insufficient validation of user-supplied input that is processed by the web interface”.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code in the context of the interface or access sensitive browser-based information.
On June 20, CERT-In notified companies of three serious vulnerabilities in the network major’s products.
Vulnerabilities in products such as routers and mail/web manager could allow the attacker to gain unauthorized access, execute arbitrary commands, and cause a denial of service attack on an affected system, had declared CERT-In in its previous notice.
The bugs that were last documented in Cisco products were called “security bypass vulnerability”, “denial of service vulnerability”, and “information disclosure vulnerability”.
(Only the title and image of this report may have been edited by Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)