CVE-2020-3580
Published: 21 October 2020
Summary
CVE-2020-3580 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow cross-site scripting attacks. The issues stem from insufficient validation of user-supplied input and affect only specific AnyConnect and WebVPN configurations on those products.
An unauthenticated remote attacker can exploit the flaws by persuading a user of the interface to click a crafted link. Successful exploitation enables execution of arbitrary script code in the context of the interface or access to sensitive browser-based information.
The Cisco Security Advisory cisco-sa-asaftd-xss-multiple-FCB3vPZe provides details on affected versions and recommended mitigations. CVE-2020-3580 is listed in the CISA Known Exploited Vulnerabilities Catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-24851
Vulnerability details
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services…
more
interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied input, which is the root cause of the XSS flaws in the ASA/FTD web services interface.
Requires filtering of information outputs to prevent malicious script injection from reaching the browser context of the web interface.
Enforces information flow rules that can block crafted links and script payloads from being processed by the affected AnyConnect/WebVPN web services.