| | 1 | + | ### 1 |
| | 2 | + | A vulnerability allows remote attackers to elevate privileges on affected installations of Cisco Secure Manager Appliance and Cisco Email Security Appliance. Authentication is required to exploit this vulnerability. |
| | 3 | + | |
| | 4 | + | The specific flaw exists within the jwt_api_impl module. The issue results from the usage of a static secret key to generate JWT tokens. An attacker can leverage this vulnerability to impersonate any user of the target server. |
| | 5 | + | |
| | 6 | + | ### 2 |
| | 7 | + | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Secure Manager Appliance and Cisco Email Security Appliance. Authentication as a high-privileged user is required to exploit this vulnerability. |
| | 8 | + | |
| | 9 | + | The specific flaw exists within the remediation_request_utils module. The issue results from the lack of proper validation of user-supplied data, which can result in SQL injection. An attacker can leverage this vulnerability to execute code in the context of root. |
| | 10 | + | |
| | 11 | + | #### Note: |
| | 12 | + | These vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. A Low level privileges user can use the combination of the two vulnerabilities to receive full admin privileges on an affected system. |
| | 13 | + | |
| | 14 | + | ### CVE |
| | 15 | + | CVE-2022-20867 |
| | 16 | + | CVE-2022-20868 |
Charlie Root
committed
1 year ago
1 parent 941b45d8