Cisco Web Security Appliance Privilege Escalation (cisco-sa-scr-web-priv-esc-k3HCGJZ)

high Nessus Plugin ID 151661


The remote device is missing a vendor-supplied security patch.


According to its self-reported version, Cisco Web Security Appliance is affected by a privilege escalation vulnerability. A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied XML input for the web interface. An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. An attacker would need a valid user account with the rights to upload configuration files to exploit this vulnerability.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvv81569

See Also

Plugin Details

Severity: High

ID: 151661

File Name: cisco-sa-scr-web-priv-esc-k3HCGJZ.nasl

Version: 1.8

Type: combined

Family: CISCO

Published: 7/15/2021

Updated: 9/21/2023

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2021-1359


Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:cisco:web_security_appliance, cpe:/a:cisco:web_security_appliance, cpe:/o:cisco:web_security_appliance, cpe:/o:cisco:asyncos

Required KB Items: Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion, Host/AsyncOS/Cisco Web Security Appliance/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 7/7/2021

Vulnerability Publication Date: 7/7/2021

Reference Information

CVE: CVE-2021-1359

CWE: 112

CISCO-SA: cisco-sa-scr-web-priv-esc-k3HCGJZ

IAVA: 2021-A-0305-S