- 144/2023
- Medium
Cisco has released security updates to fix multiple vulnerabilities across multiple products.
The addressed vulnerabilities could allow the attacker to perform a cross-site scripting attack by persuading a user of an affected interface to click a crafted link or bypass security restrictions on Cisco Duo caused by the incorrect handling of responses from Cisco Duo when the application is configured to fail open.
Sample of the addressed vulnerabilities:
1. Cisco Duo Two-Factor Authentication for macOS Authentication Bypass (CVE-2023-20199):
- CVSS: 6.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Bypass Security
2. Cisco Secure Email and Web Manager Cross-Site Scripting (CVE-2023-20119):
- CVSS: 6.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
Vulnerabilities
- CVE-2023-20028
- CVE-2023-20119
- CVE-2023-20120
- CVE-2023-20199
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.