Details of VAR-201708-1341

ID

VAR-201708-1341

CVE

CVE-2017-6788

TITLE

Cisco AnyConnect Secure Mobility Client Software Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-007196

DESCRIPTION

The WebLaunch functionality of Cisco AnyConnect Secure Mobility Client Software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the affected software. The vulnerability is due to insufficient input validation of some parameters that are passed to the WebLaunch function of the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. Cisco Bug IDs: CSCvf12055. Known Affected Releases: 98.89(40). Vendors have confirmed this vulnerability Bug ID CSCvf12055 It is released as.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.98

sources: NVD: CVE-2017-6788 // JVNDB: JVNDB-2017-007196 // BID: 100364 // VULHUB: VHN-114991

AFFECTED PRODUCTS

vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.5\(58\)	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	4.4\(4027\)	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	98.89(40)	Trust: 0.3

sources: BID: 100364 // JVNDB: JVNDB-2017-007196 // CNNVD: CNNVD-201708-717 // NVD: CVE-2017-6788

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6788
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6788
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201708-717
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114991
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6788
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-114991
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6788
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-114991 // JVNDB: JVNDB-2017-007196 // CNNVD: CNNVD-201708-717 // NVD: CVE-2017-6788

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-114991 // JVNDB: JVNDB-2017-007196 // NVD: CVE-2017-6788

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-717

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201708-717

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007196

PATCH

title:	cisco-sa-20170816-caw	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-caw	Trust: 0.8
title:	Cisco AnyConnect Secure Mobility Client Software Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74068	Trust: 0.6

sources: JVNDB: JVNDB-2017-007196 // CNNVD: CNNVD-201708-717

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6788	Trust: 2.8
db:	BID	id:	100364	Trust: 2.0
db:	SECTRACK	id:	1039190	Trust: 1.1
db:	JVNDB	id:	JVNDB-2017-007196	Trust: 0.8
db:	CNNVD	id:	CNNVD-201708-717	Trust: 0.7
db:	NSFOCUS	id:	37430	Trust: 0.6
db:	VULHUB	id:	VHN-114991	Trust: 0.1

sources: VULHUB: VHN-114991 // BID: 100364 // JVNDB: JVNDB-2017-007196 // CNNVD: CNNVD-201708-717 // NVD: CVE-2017-6788

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170816-caw	Trust: 2.0
url:	http://www.securityfocus.com/bid/100364	Trust: 1.7
url:	http://www.securitytracker.com/id/1039190	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6788	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6788	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/37430	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-114991 // BID: 100364 // JVNDB: JVNDB-2017-007196 // CNNVD: CNNVD-201708-717 // NVD: CVE-2017-6788

CREDITS

Adam Willard of Blue Canopy.

Trust: 0.9

sources: BID: 100364 // CNNVD: CNNVD-201708-717

SOURCES

db:	VULHUB	id:	VHN-114991
db:	BID	id:	100364
db:	JVNDB	id:	JVNDB-2017-007196
db:	CNNVD	id:	CNNVD-201708-717
db:	NVD	id:	CVE-2017-6788

LAST UPDATE DATE

2025-04-20T23:27:17.388000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-114991	date:	2017-08-24T00:00:00
db:	BID	id:	100364	date:	2017-08-16T20:11:00
db:	JVNDB	id:	JVNDB-2017-007196	date:	2017-09-13T00:00:00
db:	CNNVD	id:	CNNVD-201708-717	date:	2017-08-17T00:00:00
db:	NVD	id:	CVE-2017-6788	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-114991	date:	2017-08-17T00:00:00
db:	BID	id:	100364	date:	2017-08-16T00:00:00
db:	JVNDB	id:	JVNDB-2017-007196	date:	2017-09-13T00:00:00
db:	CNNVD	id:	CNNVD-201708-717	date:	2017-08-17T00:00:00
db:	NVD	id:	CVE-2017-6788	date:	2017-08-17T20:29:00.917