CVE-2024-20341
MEDIUMCisco Adaptive Security Appliance Software - Unauthenticated Cross-Site Scripting via VPN Web Client Services
Title source: llmDescription
A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.
References (4)
Core 4
Core References
Broken Link
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-xss-yjj7ZjVq
Vendor Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-yjj7ZjVq
Scores
CVSS v3
6.1
EPSS
0.0020
EPSS Percentile
41.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-80
CWE-79
Status
published
Products (50)
cisco/adaptive_security_appliance_software
9.8.1
cisco/adaptive_security_appliance_software
9.8.1.5
cisco/adaptive_security_appliance_software
9.8.1.7
cisco/adaptive_security_appliance_software
9.8.2
cisco/adaptive_security_appliance_software
9.8.2.8
cisco/adaptive_security_appliance_software
9.8.2.14
cisco/adaptive_security_appliance_software
9.8.2.15
cisco/adaptive_security_appliance_software
9.8.2.17
cisco/adaptive_security_appliance_software
9.8.2.20
cisco/adaptive_security_appliance_software
9.8.2.24
... and 40 more
Published
Oct 23, 2024
Tracked Since
Feb 18, 2026