Description
WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 does not properly distinguish its own login screen from the login screens it produces for third-party (1) FTP and (2) CIFS servers, which makes it easier for remote attackers to trick a user into sending WebVPN credentials to an arbitrary server via a URL associated with that server, aka Bug ID CSCsy80709.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by David Byrne · textremotehardware
https://www.exploit-db.com/exploits/33054
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504516/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1022457
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1713
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/35475
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/35511
Scores
EPSS
0.0575
EPSS Percentile
90.5%
Details
Status
published
Products (4)
cisco/adaptive_security_appliance
8.0\(4\)
cisco/adaptive_security_appliance
8.1.2
cisco/adaptive_security_appliance
8.2.1
cisco/adaptive_security_appliance
Published
Jun 25, 2009
Tracked Since
Feb 18, 2026