Medium severity5.3NVD Advisory· Published Nov 16, 2017· Updated May 13, 2026

CVE-2017-12309

Description

A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response splitting attack. The vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses. An exploit could allow the attacker to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits. Cisco Bug IDs: CSCvf16705.

Affected products

Cisco Systems, Inc./Email Security Appliance Firmware2 versions
cpe:2.3:o:cisco:email_security_appliance_firmware:10.0.2-020:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:cisco:email_security_appliance_firmware:10.0.2-020:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:email_security_appliance_firmware:11.0.0-105:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/101928nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039831nvdThird Party AdvisoryVDB Entry
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-esanvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000