CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
85.4%
Cisco ASA Software versions 8.0.4(28) and prior contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability is due to insufficient input validation within the WebVPN clientless mode feature. Attackers could exploit this vulnerability to conduct cross-site scripting attacks, which could result in the execution of arbitrary HTML or scripting code in a user’s browser session within the security context of the site.
Proof of concept code is available to demonstrate this cross-site scripting attack.
Cisco has confirmed the vulnerability and released software updates.
To exploit this vulnerability, the clientless mode of the WebVPN feature must be enabled. An attacker must also be able to inject crafted HTTP headers into a browser, which requires the use of a web application technology such as JavaScript or Flash. These factors reduce the likelihood of an attack.
An exploit may allow the attacker to obtain the WebVPN session cookie and gain unauthorized access to the VPN device.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | adaptive_security_appliance_software | 7.2 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.0 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.0:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 7.2.2.34 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.2.34:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 7.2.3.1 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.3.1:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 7.2.2 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.2:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 7.2.4 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.4:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 7.2.3 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.3:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 7.2.1 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.1:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 7.2.4.27 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.4.27:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 7.2.4.30 | cpe:2.3:o:cisco:adaptive_security_appliance_software:7.2.4.30:*:*:*:*:*:*:* |