CVE-2014-2120
published 2014-03-19CVE-2014-2120: Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject…
PriorityP276medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-12-03
Exploited in the wild
EPSS
14.03%
96.1th percentile
Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | adaptive_security_appliance_webvpn_login_page | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/+CSCOE+/logon.html
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco ASA WebVPN Cross-Site Scripting (CVE-2014-2120)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/+CSCOE+/logon.html|3f|"; fast_pattern; content:"reason|3d|2"; content:"username|3d|"; pcre:"/^.*?(?:[\x20\x27\x22\x2f]on[a-z]+\x3d|(?:[^\x2f]s(?:cript[\x3a\x3e\x20\x2f]|tyle\x3d)|\x3ciframe[\x20\x2f]))/R"; reference:url,seclists.org/fulldisclosure/2016/Feb/82; reference:cve,2014-2120; classtype:web-application-attack; sid:2057723; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_19, cve CVE_2014_2120, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests target the WebVPN login page at /+CSCOE+/logon.html via HTTP GET, with query parameters including 'reason=2' and 'username=' followed by XSS payload.
- →XSS payload patterns to detect include event handler injection (e.g., 'onX='), script/style tag injection, and iframe injection within the URI query string.
- →Detection should be deployed at the perimeter and internally, and requires TLS decryption (SSLDecrypt) to inspect encrypted WebVPN traffic.
- →An attacker exploits this vulnerability by convincing a user to access a malicious link targeting the Cisco ASA WebVPN login page. ↗
- ·TLS/SSL decryption must be enabled on the monitoring sensor for the Snort rule to inspect WebVPN traffic, as the login page is served over HTTPS.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_cisco6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5g9m-4pr5-x8v5: Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to injec
ghsa_unreviewed·2022-05-17
CVE-2014-2120 [MEDIUM] CWE-79 GHSA-5g9m-4pr5-x8v5: Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to injec
Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025.
VulnCheck
Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
vulncheck·2014·CVSS 6.1
CVE-2014-2120 [MEDIUM] CWE-79 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.
Affected: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.trustwave.com/en-us/resources/blogs/spiderla
CISA
Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
cisa·2024-11-12·CVSS 6.1
CVE-2014-2120 [MEDIUM] CWE-79 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
Vulnerability: Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
Affected: Cisco Adaptive Security Appliance (ASA)
Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CVE-2014-2120 ; https://nvd.nist.gov/vuln/detail/CVE-2014-2120
Remediation Due Date: 2024-12-03
Cisco
Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability
vendor_cisco·2014-03-18·CVSS 6.1
CVE-2014-2120 [MEDIUM] CWE-79 Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability
Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability
A vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of WebVPN on the Cisco ASA.The vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing a user to access a malicious link.
Cisco
Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability
vendor_cisco
CVE-2014-2120 Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability
CVE-2014-2120: Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability
A vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of WebVPN on the Cisco ASA. The vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing a user to access a malicious link.
CWE: CWE-79, CWE-79
Bug IDs: CSCun19025, CSCun19025
Suricata
ET WEB_SPECIFIC_APPS Cisco ASA WebVPN Cross-Site Scripting (CVE-2014-2120)
suricata·2024-11-19·CVSS 6.1
CVE-2014-2120 [MEDIUM] ET WEB_SPECIFIC_APPS Cisco ASA WebVPN Cross-Site Scripting (CVE-2014-2120)
ET WEB_SPECIFIC_APPS Cisco ASA WebVPN Cross-Site Scripting (CVE-2014-2120)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco ASA WebVPN Cross-Site Scripting (CVE-2014-2120)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/+CSCOE+/logon.html|3f|"; fast_pattern; content:"reason|3d|2"; content:"username|3d|"; pcre:"/^.*?(?:[\x20\x27\x22\x2f]on[a-z]+\x3d|(?:[^\x2f]s(?:cript[\x3a\x3e\x20\x2f]|tyle\x3d)|\x3ciframe[\x20\x2f]))/R"; reference:url,seclists.org/fulldisclosure/2016/Feb/82; reference:cve,2014-2120; classtype:web-application-attack; sid:2057723; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_19, cve CVE_2014_2120, deployment Perimeter, deployment Internal, deployment SSLDec
No public exploits indexed.
No writeups or analysis indexed.
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120http://www.securityfocus.com/bid/66290http://www.securitytracker.com/id/1029935http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120http://www.securityfocus.com/bid/66290http://www.securitytracker.com/id/1029935https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-2120
2014-03-19
Published
2024-11-12
Added to CISA KEV
Exploited in the wild