⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.
CVE-2020-3580 — Cross-site Scripting in Cisco Adaptive Security Appliance Software
Severity
6.1MEDIUMNVD
EPSS
93.3%
top 0.19%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedOct 21
KEV addedNov 3
KEV dueMay 3
Latest updateAug 23
CISA Required Action: Apply updates per vendor instructions.
Description
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages3 packages
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-rr9h-g433-576p: Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) So↗2022-05-24
CVEList▶
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities↗2020-10-21
💥Exploits & PoCs
1Nuclei▶
Cisco ASA/FTD Software - Cross-Site Scripting