Cyber Resilience

CVE-2014-2120

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 19 March 2014

Published
19 March 2014
Modified
21 April 2026
KEV Added
12 November 2024
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.7514 98.9th percentile
Risk Priority 77 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-2120 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2014-2120 is a cross-site scripting vulnerability, tracked as Bug ID CSCun19025 and assigned CWE-79, that affects the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software. The flaw permits injection of arbitrary web script or HTML through an unspecified parameter on the login page.

Remote attackers can exploit the issue over the network without authentication by crafting a malicious request that triggers script execution in a victim's browser when the user interacts with the WebVPN login page. Successful exploitation yields limited impacts to confidentiality and integrity, with changed scope due to the reflected or stored script running in the context of the affected Cisco ASA interface.

Advisories referenced at the Cisco Security Notice URL and related trackers such as SecurityFocus and SecurityTracker provide further details on the affected releases and recommended actions. No information on observed real-world exploitation is included in the supplied data.

EU & UK References

Vulnerability details

Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025.

CWE(s)
KEV Date Added
12 November 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
adaptive security appliance software
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the WebVPN login page, blocking the arbitrary script/HTML injection vector described in CSCun19025.

prevent

Requires filtering of information returned by the login page, limiting the ability of injected scripts to execute in the victim's browser context.

detect

Enables monitoring and analysis of network traffic to the ASA WebVPN interface to identify anomalous requests carrying XSS payloads.

References