CVE-2014-3393

EXPLOITED

Cisco Adaptive Security Appliance Software - Improper Authentication in Clientless SSL VPN Portal Customization

Title source: llm

Exploitation Summary

CVE-2014-3393 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Clientless SSL VPN portal customization framework in Cisco ASA Software 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.14), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), and 9.2 before 9.2(2.4) does not properly implement authentication, which allows remote attackers to modify RAMFS customization objects via unspecified vectors, as demonstrated by inserting XSS sequences or capturing credentials, aka Bug ID CSCup36829.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

Scores

EPSS 0.0199

EPSS Percentile 78.2%

Details

VulnCheck KEV 2016-09-28

CWE

CWE-287

Status published

Products (50)

cisco/adaptive_security_appliance_software 8.2

cisco/adaptive_security_appliance_software 8.2.0.45

cisco/adaptive_security_appliance_software 8.2.1

cisco/adaptive_security_appliance_software 8.2.1.1

cisco/adaptive_security_appliance_software 8.2.2

cisco/adaptive_security_appliance_software 8.2.2.10

cisco/adaptive_security_appliance_software 8.2.2.12

cisco/adaptive_security_appliance_software 8.2.2.16

cisco/adaptive_security_appliance_software 8.2.2.17

cisco/adaptive_security_appliance_software 8.2.3

... and 40 more

Published Oct 10, 2014

Tracked Since Feb 18, 2026