ID
VAR-E-200606-0655
TITLE
Cisco VPN3K/ASA WebVPN Clientless Mode Cross-Site Scripting Vulnerability
Trust: 0.3
DESCRIPTION
Cisco VPN 3000 Series Concentrators and ASA 5500 Series Adaptive Security Appliances (ASA) are prone to cross-site scripting attacks via the WebVPN Clientless Mode.
The issue is due to insufficient sanitization of HTML and script code from error messages that are displayed to users. This vulnerability could result in the execution of attacker-supplied HTML and script code in the session of a victim user. In the worst-case scenario, the attacker could gain unauthorized access to the VPN by stealing the WebVPN session cookie.
Cisco tracks this issue as Bug IDs CSCsd81095 and CSCse48193.
Update: Cisco states that WebVPN full-network-access mode is not affected by this issue.
Trust: 0.3
AFFECTED PRODUCTS
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30002.5.2 | Trust: 1.5 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.1 | Trust: 0.6 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.0.3 | Trust: 0.6 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.0 | Trust: 0.6 |
vendor: | cisco | model: | vpn concentrator f | scope: | eq | version: | 30004.7.1 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30004.7.1 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30004.7 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator .b | scope: | eq | version: | 30004.1.5 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30004.1.x | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator .b | scope: | eq | version: | 30004.0.5 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30004.0.1 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30004.0.x | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30004.0 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator d | scope: | eq | version: | 30003.6.7 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.6.7 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.6.1 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.6 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.5.5 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.5.4 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.5.3 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.5.2 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.5.1 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.5 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.1.4 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.1.2 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.1.1 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30003.0.4 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator | scope: | eq | version: | 30002.0 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator 4.1.7.b | scope: | eq | version: | 3000 | Trust: 0.3 |
vendor: | cisco | model: | vpn concentrator 4.1.7.a | scope: | eq | version: | 3000 | Trust: 0.3 |
vendor: | cisco | model: | asa series adaptive security appliance | scope: | eq | version: | 55007.0.4.3 | Trust: 0.3 |
vendor: | cisco | model: | asa series adaptive security appliance | scope: | eq | version: | 55007.0.4 | Trust: 0.3 |
vendor: | cisco | model: | asa series adaptive security appliance | scope: | eq | version: | 55007.0 | Trust: 0.3 |
EXPLOIT
This issue can be exploited by enticing an authenticated VPN user to visit a URI that contains embedded HTML and script code. The URI will cause the malicious code to be rendered in the 'dnserror.html' or 'connecterror.html' error pages.
Trust: 0.3
PRICE
Free
Trust: 0.3
TYPE
Input Validation Error
Trust: 0.3
CREDITS
Discovery is credited to Michal Zalewski.
Trust: 0.3
EXTERNAL IDS
db: | BID | id: | 18419 | Trust: 0.3 |
REFERENCES
url: | http://www.cisco.com/warp/public/707/cisco-sr-20060613-webvpn-xss.shtml | Trust: 0.3 |
SOURCES
db: | BID | id: | 18419 |
LAST UPDATE DATE
2022-07-27T09:55:36.220000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 18419 | date: | 2007-01-26T16:09:00 |
SOURCES RELEASE DATE
db: | BID | id: | 18419 | date: | 2006-06-14T00:00:00 |