CVE-2014-3393 — Improper Authentication in Cisco Adaptive Security Appliance Software

CWE-287 — Improper Authentication CWE-16 CWE-20 — Improper Input Validation CWE-362 — Race Condition CWE-399 CWE-78 — OS Command Injection8 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.8%

top 26.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Adaptive Security Appliance Software

Timeline

PublishedOct 10

Latest updateMay 17

Description

The Clientless SSL VPN portal customization framework in Cisco ASA Software 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.14), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), and 9.2 before 9.2(2.4) does not properly implement authentication, which allows remote attackers to modify RAMFS customization objects via unspecified vectors, as demonstrated by inserting XSS sequences or capturing credentials, aka Bug ID CSCup36829.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDcisco/adaptive_security_appliance_software102 versions+101

🔴Vulnerability Details

GHSA

GHSA-jv7f-8qcf-9c5w: The Clientless SSL VPN portal customization framework in Cisco ASA Software 8↗2022-05-17

▶

CVEList

CVE-2014-3393: The Clientless SSL VPN portal customization framework in Cisco ASA Software 8↗2014-10-10

▶

VulnCheck

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Improper Authentication↗2014

▶

📋Vendor Advisories

Cisco

Multiple Vulnerabilities in Cisco ASA Software↗2014-10-08

▶

Cisco

Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability↗2014-10-08

▶

🕵️Threat Intelligence

Volexity

Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence↗2015-10-07

▶

Volexity

Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence↗2015-10-07

▶