cbcvebase.
CVE-2014-2120
published 2014-03-19

CVE-2014-2120: Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject…

PriorityP276medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-12-03
Exploited in the wild
EPSS
14.03%
96.1th percentile
Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025.

Affected

1 ranges
VendorProductVersion rangeFixed in
ciscoadaptive_security_appliance_webvpn_login_page

Detection & IOCsextracted from sources · hover to see the quote

path/+CSCOE+/logon.html
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco ASA WebVPN Cross-Site Scripting (CVE-2014-2120)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/+CSCOE+/logon.html|3f|"; fast_pattern; content:"reason|3d|2"; content:"username|3d|"; pcre:"/^.*?(?:[\x20\x27\x22\x2f]on[a-z]+\x3d|(?:[^\x2f]s(?:cript[\x3a\x3e\x20\x2f]|tyle\x3d)|\x3ciframe[\x20\x2f]))/R"; reference:url,seclists.org/fulldisclosure/2016/Feb/82; reference:cve,2014-2120; classtype:web-application-attack; sid:2057723; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_19, cve CVE_2014_2120, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests target the WebVPN login page at /+CSCOE+/logon.html via HTTP GET, with query parameters including 'reason=2' and 'username=' followed by XSS payload.
  • XSS payload patterns to detect include event handler injection (e.g., 'onX='), script/style tag injection, and iframe injection within the URI query string.
  • Detection should be deployed at the perimeter and internally, and requires TLS decryption (SSLDecrypt) to inspect encrypted WebVPN traffic.
  • An attacker exploits this vulnerability by convincing a user to access a malicious link targeting the Cisco ASA WebVPN login page.
  • ·TLS/SSL decryption must be enabled on the monitoring sensor for the Snort rule to inspect WebVPN traffic, as the login page is served over HTTPS.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_cisco6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.