Cyber Resilience

CVE-2020-3580

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 21 October 2020

Published
21 October 2020
Modified
28 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.9332 99.8th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-3580 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow cross-site scripting attacks. The issues stem from insufficient validation of user-supplied input and affect only specific AnyConnect and WebVPN configurations on those products.

An unauthenticated remote attacker can exploit the flaws by persuading a user of the interface to click a crafted link. Successful exploitation enables execution of arbitrary script code in the context of the interface or access to sensitive browser-based information.

The Cisco Security Advisory cisco-sa-asaftd-xss-multiple-FCB3vPZe provides details on affected versions and recommended mitigations. CVE-2020-3580 is listed in the CISA Known Exploited Vulnerabilities Catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services…

more

interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
firepower threat defense
≤ 6.4.0.12 · 6.5.0 — 6.6.4 · 6.7.0 — 6.7.0.2
cisco
adaptive security appliance software
≤ 9.8.4.34 · 9.9 — 9.9.2.85 · 9.10 — 9.12.4.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied input, which is the root cause of the XSS flaws in the ASA/FTD web services interface.

prevent

Requires filtering of information outputs to prevent malicious script injection from reaching the browser context of the web interface.

prevent

Enforces information flow rules that can block crafted links and script payloads from being processed by the affected AnyConnect/WebVPN web services.

References