CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
49.1%
Cisco Adaptive Security Appliance (ASA) devices configured for WebVPN contain a DOM-based cross-site scripting vulnerability (XSS) within the Portal Login page. An unauthenticated, remote attacker who can convince a user to take a malicious action, could perform a XSS attack on the user.
The vulnerability exists due to mishandling of certain attributes that are processed within cookies passed as part of a request. A successful exploit may allow the attacker to execute arbitrary script or HTML code on the user’s browser within the context of the affected site.
Proof-of-concept code that exploits this vulnerability is publicly available.
Cisco has confirmed the vulnerability and released updated software.
To exploit the vulnerability, the attacker may provide a link to the user and may persuade the user to follow the link by using misleading language and instructions.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | adaptive_security_appliance_software | 8.4 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.5 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.5:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.6 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.6:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.7 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.7:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 9.0 | cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 9.1 | cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 9.2 | cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.1 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.1:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.2 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.2:*:*:*:*:*:*:* |
cisco | adaptive_security_appliance_software | 8.4.1.3 | cpe:2.3:o:cisco:adaptive_security_appliance_software:8.4.1.3:*:*:*:*:*:*:* |