Vigil@nce: Cisco ASA, Secure Desktop, Cross Site Scripting
February 2010 by Vigil@nce
An attacker can generate a Cross Site Scripting in Cisco Secure
Desktop.
– Severity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 02/02/2010
IMPACTED PRODUCTS
– Cisco PIX/ASA Software
DESCRIPTION OF THE VULNERABILITY
The Cisco Secure Desktop product is used to check the security
level of computers connecting to the VPN.
The https://computer/+CSCOT+/translation page of CSD generates a
variable containing the translated text.
However, posted parameters are not filtered before being displayed.
An attacker can therefore generate a Cross Site Scripting in Cisco
Secure Desktop.
CHARACTERISTICS
– Identifiers: 19843, BID-37960, CORE-2010-0106, CVE-2010-0440,
VIGILANCE-VUL-9398
– Url: http://vigilance.fr/vulnerability/Cisco-ASA-Secure-Desktop-Cross-Site-Scripting-9398