Published: 21/10/2020 Updated: 07/11/2023

CVSS v2 Base Score: 2.6 | Impact Score: 2.9 | Exploitability Score: 4.9

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 232

Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote malicious user to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the malicious user to execute arbitrary script code in the context of the interface or allow the malicious user to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

Vulnerable Product	Search on Vulmon	Subscribe to Product
cisco firepower threat defense
cisco adaptive security appliance software

Update June 28, 2021: Cisco has become aware that public exploit code exists for CVE-2020-3580, and this vulnerability is being actively exploited Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attac ...

Additional exploits for XSS in Cisco ASA devices discovered by PTSwarm

CVE-2020-3580 Additional exploits for XSS in Cisco ASA devices discovered by PTSwarm Usage Stage (address change me) Demonstrate Logon to Cisco ASA WebVPN Visit staged malicious page Recover your credentials Patch ;) Example / Result

This project is a bash client to use HackerOne's API.

HackerOneAPIClient The main idea of this project is to send reports automatically (or programmatically, some day automagically) to HackerOne programs Configuration Setup your HackerOne username and APIkey into the configtxt file Get your API Key here Create a dummy project here (I recommend you to also create another h1 account, otherwise you might have too many repo

Automated bulk IP or domain scanner for CVE 2020 3580. Cisco ASA and FTD XSS hunter.

CVE-2020-3580 Automated Scanner CVE-2020-3580 - Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software XSS Usage ▶ git clone "githubcom/adarshvs/CVE-2020-3580git" ▶ cd CVE-2020-3580 place domains/IP that you need to scan as txt file format in the same folder ▶ py

Additional exploits for XSS in Cisco ASA devices discovered by @pwn0sec

CVE-2020-3580 Automated Scanner CVE-2020-3580 - Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software XSS Installation Commands Clone the repository git clone githubcom/imhunterand/CVE-2020-3580git Go to the newly created directory cd CVE-2020-3580

CWE-79 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe https://nvd.nist.gov https://github.com/catatonicprime/CVE-2020-3580 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe

CVE-2020-3580

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect