Details of VAR-201804-0999

ID

VAR-201804-0999

CVE

CVE-2018-0251

TITLE

Cisco Adaptive Security Appliance Software cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-004410

DESCRIPTION

A vulnerability in the Web Server Authentication Required screen of the Clientless Secure Sockets Layer (SSL) VPN portal of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of that portal on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the portal or allow the attacker to access sensitive browser-based information. This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco ASA Software: 3000 Series Industrial Security Appliances, Adaptive Security Virtual Appliance (ASAv), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches, ASA Services Module for Cisco 7600 Series Routers. Cisco Bug IDs: CSCvh20742. Vendors have confirmed this vulnerability Bug ID CSCvh20742 It is released as.Information may be obtained and information may be altered. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Clientless Secure Sockets Layer (SSL) VPN is one of the SSL (Secure Sockets Layer) VPN apps. The vulnerability stems from the fact that the program does not fully verify the request submitted by the user

Trust: 2.07

sources: NVD: CVE-2018-0251 // JVNDB: JVNDB-2018-004410 // BID: 103926 // VULHUB: VHN-118453 // VULMON: CVE-2018-0251

AFFECTED PRODUCTS

vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.9\(1\)	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.8\(2.15\)	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	asa series firewalls	scope:	eq	version:	5500-x9.9(1)	Trust: 0.3
vendor:	cisco	model:	asa series firewalls	scope:	eq	version:	5500-x9.8(2.15)	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance	scope:	eq	version:	0	Trust: 0.3

sources: BID: 103926 // JVNDB: JVNDB-2018-004410 // CNNVD: CNNVD-201804-1097 // NVD: CVE-2018-0251

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0251
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-0251
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201804-1097
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-118453
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-0251
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-0251
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-118453
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0251
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-118453 // VULMON: CVE-2018-0251 // JVNDB: JVNDB-2018-004410 // CNNVD: CNNVD-201804-1097 // NVD: CVE-2018-0251

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-118453 // JVNDB: JVNDB-2018-004410 // NVD: CVE-2018-0251

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-1097

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201804-1097

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-004410

PATCH

title:	cisco-sa-20180418-asawvpn2	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asawvpn2	Trust: 0.8
title:	Multiple Cisco product Adaptive Security Appliance Software Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81392	Trust: 0.6
title:	Cisco: Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20180418-asawvpn2	Trust: 0.1

sources: VULMON: CVE-2018-0251 // JVNDB: JVNDB-2018-004410 // CNNVD: CNNVD-201804-1097

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0251	Trust: 2.9
db:	BID	id:	103926	Trust: 2.1
db:	SECTRACK	id:	1040714	Trust: 1.8
db:	JVNDB	id:	JVNDB-2018-004410	Trust: 0.8
db:	CNNVD	id:	CNNVD-201804-1097	Trust: 0.6
db:	VULHUB	id:	VHN-118453	Trust: 0.1
db:	VULMON	id:	CVE-2018-0251	Trust: 0.1

sources: VULHUB: VHN-118453 // VULMON: CVE-2018-0251 // BID: 103926 // JVNDB: JVNDB-2018-004410 // CNNVD: CNNVD-201804-1097 // NVD: CVE-2018-0251

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180418-asawvpn2	Trust: 2.2
url:	http://www.securityfocus.com/bid/103926	Trust: 1.9
url:	http://www.securitytracker.com/id/1040714	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0251	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0251	Trust: 0.8
url:	http://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html	Trust: 0.3
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-118453 // VULMON: CVE-2018-0251 // BID: 103926 // JVNDB: JVNDB-2018-004410 // CNNVD: CNNVD-201804-1097 // NVD: CVE-2018-0251

CREDITS

Cisco.

Trust: 0.3

sources: BID: 103926

SOURCES

db:	VULHUB	id:	VHN-118453
db:	VULMON	id:	CVE-2018-0251
db:	BID	id:	103926
db:	JVNDB	id:	JVNDB-2018-004410
db:	CNNVD	id:	CNNVD-201804-1097
db:	NVD	id:	CVE-2018-0251

LAST UPDATE DATE

2024-11-23T22:41:52.155000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118453	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2018-0251	date:	2019-10-09T00:00:00
db:	BID	id:	103926	date:	2018-04-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-004410	date:	2018-06-19T00:00:00
db:	CNNVD	id:	CNNVD-201804-1097	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0251	date:	2024-11-21T03:37:49.093

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118453	date:	2018-04-19T00:00:00
db:	VULMON	id:	CVE-2018-0251	date:	2018-04-19T00:00:00
db:	BID	id:	103926	date:	2018-04-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-004410	date:	2018-06-19T00:00:00
db:	CNNVD	id:	CNNVD-201804-1097	date:	2018-04-19T00:00:00
db:	NVD	id:	CVE-2018-0251	date:	2018-04-19T20:29:01.080