Details of VAR-202010-1052

ID

VAR-202010-1052

CVE

CVE-2020-3580

TITLE

Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense Cross-site scripting vulnerabilities in software

Trust: 0.8

sources: JVNDB: JVNDB-2020-012620

DESCRIPTION

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. The platform provides features such as highly secure access to data and network resources

Trust: 1.8

sources: NVD: CVE-2020-3580 // JVNDB: JVNDB-2020-012620 // VULHUB: VHN-181705 // VULMON: CVE-2020-3580

AFFECTED PRODUCTS

vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.9.2.85	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.14.2.8	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.8.4.34	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	lt	version:	6.6.4	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.13.1.21	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	gte	version:	6.5.0	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	lt	version:	6.4.0.12	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	lt	version:	6.7.0.2	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.14	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.13	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.9	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.15	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.15.1.15	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.12.4.13	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	gte	version:	9.10	Trust: 1.0
vendor:	cisco	model:	firepower threat defense	scope:	gte	version:	6.7.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco adaptive security appliance ソフトウェア	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco firepower threat defense ソフトウェア	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-012620 // NVD: CVE-2020-3580

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3580
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3580
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-3580
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202010-1177
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-181705
value:	LOW
Trust: 0.1
VULMON:	CVE-2020-3580
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-3580
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-181705
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3580
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0
NVD:	CVE-2020-3580
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-181705 // VULMON: CVE-2020-3580 // JVNDB: JVNDB-2020-012620 // CNNVD: CNNVD-202010-1177 // NVD: CVE-2020-3580 // NVD: CVE-2020-3580

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181705 // JVNDB: JVNDB-2020-012620 // NVD: CVE-2020-3580

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1177

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202010-1177

PATCH

title:	cisco-sa-asaftd-xss-multiple-FCB3vPZe	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe	Trust: 0.8
title:	Cisco: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-asaftd-xss-multiple-FCB3vPZe	Trust: 0.1
title:	CVE-2020-3580 Automated Scanner	url:	https://github.com/adarshvs/CVE-2020-3580	Trust: 0.1
title:	CVE-2020-3580 Usage Example / Result	url:	https://github.com/catatonicprime/CVE-2020-3580	Trust: 0.1
title:	CVE-2020-3580 Automated Scanner Credit's	url:	https://github.com/imhunterand/CVE-2020-3580	Trust: 0.1
title:	HackerOneAPIClient	url:	https://github.com/pdelteil/HackerOneAPIClient	Trust: 0.1
title:	CVE-POC	url:	https://github.com/n1sh1th/CVE-POC	Trust: 0.1
title:	vulcat	url:	https://github.com/CLincat/vulcat	Trust: 0.1

sources: VULMON: CVE-2020-3580 // JVNDB: JVNDB-2020-012620

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3580	Trust: 2.6
db:	JVNDB	id:	JVNDB-2020-012620	Trust: 0.8
db:	CNNVD	id:	CNNVD-202010-1177	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3642	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3642.3	Trust: 0.6
db:	NSFOCUS	id:	50204	Trust: 0.6
db:	CNVD	id:	CNVD-2020-59754	Trust: 0.1
db:	VULHUB	id:	VHN-181705	Trust: 0.1
db:	VULMON	id:	CVE-2020-3580	Trust: 0.1

sources: VULHUB: VHN-181705 // VULMON: CVE-2020-3580 // JVNDB: JVNDB-2020-012620 // CNNVD: CNNVD-202010-1177 // NVD: CVE-2020-3580

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-xss-multiple-fcb3vpze	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3580	Trust: 1.4
url:	https://vigilance.fr/vulnerability/cisco-asa-software-cross-site-scripting-via-web-services-33675	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3642.3	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/50204	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3642/	Trust: 0.6

sources: VULHUB: VHN-181705 // JVNDB: JVNDB-2020-012620 // CNNVD: CNNVD-202010-1177 // NVD: CVE-2020-3580

SOURCES

db:	VULHUB	id:	VHN-181705
db:	VULMON	id:	CVE-2020-3580
db:	JVNDB	id:	JVNDB-2020-012620
db:	CNNVD	id:	CNNVD-202010-1177
db:	NVD	id:	CVE-2020-3580

LAST UPDATE DATE

2024-08-16T22:48:07.295000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181705	date:	2022-05-26T00:00:00
db:	VULMON	id:	CVE-2020-3580	date:	2023-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2020-012620	date:	2021-05-17T09:06:00
db:	CNNVD	id:	CNNVD-202010-1177	date:	2022-05-30T00:00:00
db:	NVD	id:	CVE-2020-3580	date:	2024-08-14T20:09:32.130

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181705	date:	2020-10-21T00:00:00
db:	VULMON	id:	CVE-2020-3580	date:	2020-10-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-012620	date:	2021-05-17T00:00:00
db:	CNNVD	id:	CNNVD-202010-1177	date:	2020-10-21T00:00:00
db:	NVD	id:	CVE-2020-3580	date:	2020-10-21T19:15:18.607