| 1 | + | ### 1 |
| 2 | + | A vulnerability allows remote attackers to elevate privileges on affected installations of Cisco Secure Manager Appliance and Cisco Email Security Appliance. Authentication is required to exploit this vulnerability. |
| 3 | + | |
| 4 | + | The specific flaw exists within the jwt_api_impl module. The issue results from the usage of a static secret key to generate JWT tokens. An attacker can leverage this vulnerability to impersonate any user of the target server. |
| 5 | + | |
| 6 | + | ### 2 |
| 7 | + | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Secure Manager Appliance and Cisco Email Security Appliance. Authentication as a high-privileged user is required to exploit this vulnerability. |
| 8 | + | |
| 9 | + | The specific flaw exists within the remediation_request_utils module. The issue results from the lack of proper validation of user-supplied data, which can result in SQL injection. An attacker can leverage this vulnerability to execute code in the context of root. |
| 10 | + | |
| 11 | + | #### Note: |
| 12 | + | These vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. A Low level privileges user can use the combination of the two vulnerabilities to receive full admin privileges on an affected system. |
| 13 | + | |
| 14 | + | ### CVE |
| 15 | + | CVE-2022-20867 |
| 16 | + | CVE-2022-20868 |