Cisco Registered Envelope Service Multiple Cross Site Scripting Vulnerabilities

Cisco Registered Envelope Service is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
These issues are being tracked by Cisco Bug IDs CSCve77195, CSCve90978, CSCvf42310, CSCvf42703, CSCvf42723, CSCvf46169, CSCvf49999.

Information

Bugtraq ID: 101863
Class: Input Validation Error
CVE: CVE-2017-12290
CVE-2017-12291
CVE-2017-12292
CVE-2017-12320
CVE-2017-12321
CVE-2017-12322
CVE-2017-12323

Remote: Yes
Local: No
Published: Nov 15 2017 12:00AM
Updated: Nov 22 2017 02:08AM
Credit: userburden and Rahul Raj.
Vulnerable: Cisco Registered Envelope Service 0
Cisco Email Encryption 5.3
Cisco Email Encryption 5.3.0-038

Not Vulnerable:

Exploit

To exploit these issues an attacker must entice an unsuspecting victim to open a malicious URI.

References:

• Cisco Homepage (Cisco)
  
• Cisco Registered Envelope Service Cross-Site Scripting Vulnerabilities (Cisco)
  

Source: www.securityfocus.com