Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ciscoCiscoCISCO-SA-20090401-CVE-2009-1220
HistoryApr 01, 2009 - 3:41 p.m.

Cisco ASA Software WebVPN Cross-Site Scripting Vulnerability

2009-04-0115:41:10
tools.cisco.com
26

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.012

Percentile

85.4%

JSON

Cisco ASA Software versions 8.0.4(28) and prior contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.

The vulnerability is due to insufficient input validation within the WebVPN clientless mode feature. Attackers could exploit this vulnerability to conduct cross-site scripting attacks, which could result in the execution of arbitrary HTML or scripting code in a user’s browser session within the security context of the site.

Proof of concept code is available to demonstrate this cross-site scripting attack.

Cisco has confirmed the vulnerability and released software updates.

To exploit this vulnerability, the clientless mode of the WebVPN feature must be enabled. An attacker must also be able to inject crafted HTTP headers into a browser, which requires the use of a web application technology such as JavaScript or Flash. These factors reduce the likelihood of an attack.

An exploit may allow the attacker to obtain the WebVPN session cookie and gain unauthorized access to the VPN device.

Affected configurations

Vulners
Node
ciscoadaptive_security_appliance_softwareMatch7.2
OR
ciscoadaptive_security_appliance_softwareMatch8.0
OR
ciscoadaptive_security_appliance_softwareMatch7.2.2.34
OR
ciscoadaptive_security_appliance_softwareMatch7.2.3.1
OR
ciscoadaptive_security_appliance_softwareMatch7.2.2
OR
ciscoadaptive_security_appliance_softwareMatch7.2.4
OR
ciscoadaptive_security_appliance_softwareMatch7.2.3
OR
ciscoadaptive_security_appliance_softwareMatch7.2.1
OR
ciscoadaptive_security_appliance_softwareMatch7.2.4.27
OR
ciscoadaptive_security_appliance_softwareMatch7.2.4.30
OR
ciscoadaptive_security_appliance_softwareMatch8.0.2.11
OR
ciscoadaptive_security_appliance_softwareMatch8.0.4
OR
ciscoadaptive_security_appliance_softwareMatch8.0.3
OR
ciscoadaptive_security_appliance_softwareMatch8.0.2
OR
ciscoadaptive_security_appliance_softwareMatch8.0.1.2
OR
ciscoadaptive_security_appliance_softwareMatch8.0.4.25
OR
ciscoadaptive_security_appliance_softwareMatch8.0.4.28
VendorProductVersionCPE
ciscoadaptive_security_appliance_software7.2cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software8.0cpe:2.3:o:cisco:adaptive_security_appliance_software:8.0:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software7.2.2.34cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.2.34:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software7.2.3.1cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.3.1:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software7.2.2cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.2:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software7.2.4cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.4:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software7.2.3cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.3:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software7.2.1cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.1:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software7.2.4.27cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.4.27:*:*:*:*:*:*:*
ciscoadaptive_security_appliance_software7.2.4.30cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.4.30:*:*:*:*:*:*:*
Rows per page:
1-10 of 171

Related

cvelist 1
exploitdb 1
nvd 1
cve 1
checkpoint_advisories 1
prion 1
cvelist
cvelist
CVE-2009-1220
2009-04-01 18:00:00
exploitdb
exploitdb
Cisco ASA Appliance 7.x/8.0 WebVPN - Cross-Site Scripting
2009-03-31 00:00:00
nvd
nvd
CVE-2009-1220
2009-04-01 18:30:00
cve
cve
CVE-2009-1220
2009-04-01 18:30:00
checkpoint_advisories
checkpoint_advisories
Preemptive Protection against Cisco ASA Appliance WebVPN Cross Site Scripting Vulnerability
2009-04-14 00:00:00
prion
prion
Cross site scripting
2009-04-01 18:30:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.012

Percentile

85.4%

JSON
Related for CISCO-SA-20090401-CVE-2009-1220
cvelist1exploitdb1nvd1cve1checkpoint_advisories1prion1