ID

VAR-202010-1052


CVE

CVE-2020-3580


TITLE

Cisco Adaptive Security Appliance  and  Cisco Firepower Threat Defense  Cross-site scripting vulnerabilities in software

Trust: 0.8

sources: JVNDB: JVNDB-2020-012620

DESCRIPTION

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. The platform provides features such as highly secure access to data and network resources

Trust: 1.8

sources: NVD: CVE-2020-3580 // JVNDB: JVNDB-2020-012620 // VULHUB: VHN-181705 // VULMON: CVE-2020-3580

AFFECTED PRODUCTS

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.9.2.85

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.14.2.8

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.8.4.34

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.6.4

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.13.1.21

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.5.0

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.4.0.12

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:ltversion:6.7.0.2

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.14

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.13

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.9

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.15

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.15.1.15

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:ltversion:9.12.4.13

Trust: 1.0

vendor:ciscomodel:adaptive security appliance softwarescope:gteversion:9.10

Trust: 1.0

vendor:ciscomodel:firepower threat defensescope:gteversion:6.7.0

Trust: 1.0

vendor:シスコシステムズmodel:cisco adaptive security appliance ソフトウェアscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco firepower threat defense ソフトウェアscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-012620 // NVD: CVE-2020-3580

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3580
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3580
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-3580
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202010-1177
value: MEDIUM

Trust: 0.6

VULHUB: VHN-181705
value: LOW

Trust: 0.1

VULMON: CVE-2020-3580
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-3580
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-181705
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3580
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 2.0

NVD: CVE-2020-3580
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181705 // VULMON: CVE-2020-3580 // JVNDB: JVNDB-2020-012620 // CNNVD: CNNVD-202010-1177 // NVD: CVE-2020-3580 // NVD: CVE-2020-3580

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-181705 // JVNDB: JVNDB-2020-012620 // NVD: CVE-2020-3580

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1177

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202010-1177

PATCH

title:cisco-sa-asaftd-xss-multiple-FCB3vPZeurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe

Trust: 0.8

title:Cisco: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-asaftd-xss-multiple-FCB3vPZe

Trust: 0.1

title:CVE-2020-3580 Automated Scannerurl:https://github.com/adarshvs/CVE-2020-3580

Trust: 0.1

title:CVE-2020-3580 Usage Example / Resulturl:https://github.com/catatonicprime/CVE-2020-3580

Trust: 0.1

title:CVE-2020-3580 Automated Scanner Credit'surl:https://github.com/imhunterand/CVE-2020-3580

Trust: 0.1

title:HackerOneAPIClienturl:https://github.com/pdelteil/HackerOneAPIClient

Trust: 0.1

title:CVE-POCurl:https://github.com/n1sh1th/CVE-POC

Trust: 0.1

title:vulcaturl:https://github.com/CLincat/vulcat

Trust: 0.1

sources: VULMON: CVE-2020-3580 // JVNDB: JVNDB-2020-012620

EXTERNAL IDS

db:NVDid:CVE-2020-3580

Trust: 2.6

db:JVNDBid:JVNDB-2020-012620

Trust: 0.8

db:CNNVDid:CNNVD-202010-1177

Trust: 0.7

db:AUSCERTid:ESB-2020.3642

Trust: 0.6

db:AUSCERTid:ESB-2020.3642.3

Trust: 0.6

db:NSFOCUSid:50204

Trust: 0.6

db:CNVDid:CNVD-2020-59754

Trust: 0.1

db:VULHUBid:VHN-181705

Trust: 0.1

db:VULMONid:CVE-2020-3580

Trust: 0.1

sources: VULHUB: VHN-181705 // VULMON: CVE-2020-3580 // JVNDB: JVNDB-2020-012620 // CNNVD: CNNVD-202010-1177 // NVD: CVE-2020-3580

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-asaftd-xss-multiple-fcb3vpze

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-3580

Trust: 1.4

url:https://vigilance.fr/vulnerability/cisco-asa-software-cross-site-scripting-via-web-services-33675

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3642.3

Trust: 0.6

url:http://www.nsfocus.net/vulndb/50204

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3642/

Trust: 0.6

sources: VULHUB: VHN-181705 // JVNDB: JVNDB-2020-012620 // CNNVD: CNNVD-202010-1177 // NVD: CVE-2020-3580

SOURCES

db:VULHUBid:VHN-181705
db:VULMONid:CVE-2020-3580
db:JVNDBid:JVNDB-2020-012620
db:CNNVDid:CNNVD-202010-1177
db:NVDid:CVE-2020-3580

LAST UPDATE DATE

2024-08-16T22:48:07.295000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181705date:2022-05-26T00:00:00
db:VULMONid:CVE-2020-3580date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2020-012620date:2021-05-17T09:06:00
db:CNNVDid:CNNVD-202010-1177date:2022-05-30T00:00:00
db:NVDid:CVE-2020-3580date:2024-08-14T20:09:32.130

SOURCES RELEASE DATE

db:VULHUBid:VHN-181705date:2020-10-21T00:00:00
db:VULMONid:CVE-2020-3580date:2020-10-21T00:00:00
db:JVNDBid:JVNDB-2020-012620date:2021-05-17T00:00:00
db:CNNVDid:CNNVD-202010-1177date:2020-10-21T00:00:00
db:NVDid:CVE-2020-3580date:2020-10-21T19:15:18.607