N/A

Multiple vulnerabilities in the web interface of the Cisco Registered Envelope Service (a cloud-based service) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack or redirect a user of the affected service to an undesired web page. The vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of the affected service. An attacker could exploit these vulnerabilities by persuading a user to click a malicious link or by sending an HTTP request that could cause the affected service to redirect the request to a specified malicious URL. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface of the affected system or allow the attacker to access sensitive browser-based information on the affected system. These types of exploits could also be used in phishing attacks that send users to malicious websites without their knowledge. Cisco Bug IDs: CSCve77195, CSCve90978, CSCvf42310, CSCvf42703, CSCvf42723, CSCvf46169, CSCvf49999.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Cisco Registered Envelope Service 跨站脚本漏洞

Cisco Registered Envelope Service是美国思科（Cisco）公司的一套邮件服务解决方案。该产品包括邮件的读取回执、邮件回收、邮件转发和回复功能，并提供智能手机支持。 Cisco Registered Envelope Service中存在跨站脚本漏洞，该漏洞源于程序没有充分的验证用户提交的数据。远程攻击者可通过诱使用户点击恶意链接或通过发送HTTP请求利用该漏洞在受影响系统的Web界面的上下文中执行任意脚本代码或访问基于浏览器的敏感信息。

N/A

N/A