CVE-2009-1202 — Cross-site Scripting in Cisco Adaptive Security Appliance

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 45.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Adaptive Security Appliance

Timeline

PublishedJun 25

Latest updateMay 2

Description

WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 allows remote attackers to bypass certain protection mechanisms involving URL rewriting and HTML rewriting, and conduct cross-site scripting (XSS) attacks, by modifying the first hex-encoded character in a /+CSCO+ URI, aka Bug ID CSCsy80705.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDcisco/adaptive_security_appliance8.0\(4\), 8.1.2, 8.2.1+2

🔴Vulnerability Details

GHSA

GHSA-9634-hx95-7px5: WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8↗2022-05-02

▶

CVEList

CVE-2009-1202: WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8↗2009-06-25

▶

🔍Detection Rules

Suricata

ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt↗2010-07-30

▶

📋Vendor Advisories

Cisco

Cisco ASA Adaptive Security Appliance Software Clientless SSL VPN Rot13-Encoded Cross-Site Scripting Vulnerability↗2009-06-24

▶