CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2009-4455
https://notcve.org/view.php?id=CVE-2009-4455
The default configuration of Cisco ASA 5500 Series Adaptive Security Appliance (Cisco ASA) 7.0, 7.1, 7.2, 8.0, 8.1, and 8.2 allows portal traffic to access arbitrary backend servers, which might allow remote authenticated users to bypass intended access restrictions and access unauthorized web sites via a crafted URL obfuscated with ROT13 and a certain encoding. NOTE: this issue was originally reported as a vulnerability related to lack of restrictions to URLs listed in the Cisco WebVPN bookmark component, but the vendor states that "The bookmark feature is not a security feature." La configuración por defecto de Cisco ASA 5500 Series Adaptive Security Appliance (Cisco ASA) v7.0, v7.1, v7.2, v8.0, v8.1, y v8.2 permite que el tráfico del portal acceda a servidores de su elección en el backend, lo que podría permitir a usuarios autenticados remotamente eludir las restricciones de acceso implementadas y acceder a sitios web no autorizados mediante una URL ofuscada con ROT13 y cierto cifrado. NOTA: este comportamiento fue reportado originalmente como una carencia de restricciones en el listado de URLs en el componente de marcadores de Cisco WebVPN, pero el fabricante mantiene que "la característica de marcador no es una característica de seguridad" • http://osvdb.org/61132 http://secunia.com/advisories/37710 http://tools.cisco.com/security/center/viewAlert.x?alertId=19609 http://www.securityfocus.com/archive/1/508530/100/0/threaded http://www.securitytracker.com/id?1023368 http://www.vupen.com/english/advisories/2009/3577 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 1%CPEs: 5EXPL: 0CVE-2009-2631
https://notcve.org/view.php?id=CVE-2009-2631
Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design. Múltiples productos VPN de SSL sin cliente que se ejecutan en navegadores web, incluyendo StoneGate de Stonesoft; ASA de Cisco; E-Class SSL VPN de SonicWALL y SSL VPN de SonicWALL; SecureWire Access Gateway de SafeNet; Networks Secure Access de Juniper; CallPilot de Nortel; Access Gateway de Citrix; y otros productos, cuando se ejecutan en configuraciones que no restringen el acceso al mismo dominio que la VPN, recuperan el contenido de las direcciones URL remotas de un dominio y las reescriben para que se originen desde el dominio de la VPN, lo que viola la política del mismo origen y permite a atacantes remotos conducir ataques de tipo cross-site scripting, leer cookies que se originaron desde otros dominios, acceder a la sesión de VPN web para conseguir acceso a los recursos internos, realizar el registro de claves y conducir otros ataques. NOTA: se podría argumentar que se trata de un problema de diseño fundamental en cualquier solución VPN sin cliente, a diferencia de un error comúnmente introducido que puede ser corregido en implementaciones separadas. • http://kb.juniper.net/KB15799 http://seclists.org/fulldisclosure/2006/Jun/238 http://seclists.org/fulldisclosure/2006/Jun/269 http://seclists.org/fulldisclosure/2006/Jun/270 http://secunia.com/advisories/37696 http://secunia.com/advisories/37786 http://secunia.com/advisories/37788 http://secunia.com/advisories/37789 http://securitytracker.com/id?1023255 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=984744 http://www.kb.cert.org/vuls/id/261869 http:/ • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 2CVE-2009-1201 – Cisco ASA Appliance 8.x - WebVPN DOM Wrapper Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-1201
Eval injection vulnerability in the csco_wrap_js function in /+CSCOL+/cte.js in WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 allows remote attackers to bypass a DOM wrapper and conduct cross-site scripting (XSS) attacks by setting CSCO_WebVPN['process'] to the name of a crafted function, aka Bug ID CSCsy80694. Vulnerabilidad de inyección "Eval" en la función csco_wrap_js en /+CSCOL+/cte.js en WebVPN en los dispositivos Cisco Adaptive Security Appliances (ASA) con software 8.0(4), 8.1.2, y 8.2.1, permite a atacantes remotos eludir un envoltorio (wrapper) DOM y realizar ataques de secuencias de comandos en sitios cruzados (XSS) configurando el valor CSCO_WebVPN['process'] con el nombre de la función modificada, alias Bug ID CSCsy80694. The Cisco ASA Web VPN versions 8.0(4), 8.1.2, and 8.2.1 suffer from cross site scripting, credential theft, and html rewriting bypass vulnerabilities. • https://www.exploit-db.com/exploits/33055 http://secunia.com/advisories/35511 http://www.securityfocus.com/archive/1/504516/100/0/threaded http://www.securityfocus.com/bid/35476 http://www.securitytracker.com/id?1022457 http://www.vupen.com/english/advisories/2009/1713 https://www.trustwave.com/spiderlabs/advisories/TWSL2009-002.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2009-1202 – Cisco ASA Web VPN Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-1202
WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 allows remote attackers to bypass certain protection mechanisms involving URL rewriting and HTML rewriting, and conduct cross-site scripting (XSS) attacks, by modifying the first hex-encoded character in a /+CSCO+ URI, aka Bug ID CSCsy80705. WebVPN en los dispositivos Cisco Adaptive Security Appliances (ASA) con software 8.0(4), 8.1.2, y 8.2.1 permite a atacantes remotos eludir ciertos mecanismos de protección que impliquen la reescritura de URL y HTML y realizar ataques de secuencias de comandos en sitios cruzados (XSS) modificando el primer carácter codificado hexadecimal en una URI /+CSCO+, alias Bug ID CSCsy80705. The Cisco ASA Web VPN versions 8.0(4), 8.1.2, and 8.2.1 suffer from cross site scripting, credential theft, and html rewriting bypass vulnerabilities. • http://secunia.com/advisories/35511 http://www.securityfocus.com/archive/1/504516/100/0/threaded http://www.securityfocus.com/bid/35480 http://www.securitytracker.com/id?1022457 http://www.vupen.com/english/advisories/2009/1713 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 3%CPEs: 4EXPL: 2CVE-2009-1203 – Cisco Adaptive Security Appliance 8.x - Web VPN FTP or CIFS Authentication Form Phishing
https://notcve.org/view.php?id=CVE-2009-1203
WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 does not properly distinguish its own login screen from the login screens it produces for third-party (1) FTP and (2) CIFS servers, which makes it easier for remote attackers to trick a user into sending WebVPN credentials to an arbitrary server via a URL associated with that server, aka Bug ID CSCsy80709. WebVPN en los dispositivos Cisco Adaptive Security Appliances (ASA) con software 8.0(4), 8.1.2, y 8.2.1 no distingue de manera apropiada su propia pantalla de login de las pantallas de login que produce para servidores (1) FTP and (2) CIFS de terceros, lo que facilita a atacantes remotos engañar a un usuario enviándole credenciales WebVPN para un servidor de su elección mediante una URL asociada con este servidor, alias Bug ID CSCsy80709. The Cisco ASA Web VPN versions 8.0(4), 8.1.2, and 8.2.1 suffer from cross site scripting, credential theft, and html rewriting bypass vulnerabilities. • https://www.exploit-db.com/exploits/33054 http://secunia.com/advisories/35511 http://www.securityfocus.com/archive/1/504516/100/0/threaded http://www.securityfocus.com/bid/35475 http://www.securitytracker.com/id?1022457 http://www.vupen.com/english/advisories/2009/1713 •