#VU59972 Information disclosure in Enterprise Chat and Email - CVE-2022-20633

Cybersecurity Help s.r.o.

Published: 2022-01-25

Vulnerability identifier: #VU59972

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-20633

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Enterprise Chat and Email
Other software / Other software solutions

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to differences in authentication responses that are sent back from the application as part of an authentication attempt. A remote attacker can confirm existing user accounts.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Enterprise Chat and Email: before 12.6(1)_ES1

External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-multivulns-kbK2yVhR

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Cisco Enterprise Chat and Email