Cisco ECE Vulnerability Could Lead to Username Enumeration Attacks
CVE-2022-20633

5.3MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Enterprise Chat And Email
Vendor: CVE Published:; 15 November 2024

Summary

The vulnerability in the web-based management interface of Cisco ECE allows unauthenticated remote attackers to conduct username enumeration attacks. This issue arises from inconsistent authentication response behaviors when a connection is attempted. By exploiting this flaw, an attacker can send authentication requests to the affected device, successfully revealing valid usernames. Consequently, this information could be leveraged for further malicious activities targeting the compromised accounts. Cisco has issued software updates to mitigate this vulnerability, and no workarounds are available to address the issue.

Affected Version(s)

Cisco Enterprise Chat and Email 11.6(1)_ES3

Cisco Enterprise Chat and Email 11.6(1)_ES4

Cisco Enterprise Chat and Email 12.0(1)_ES6

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Nov 2, 2021