CVE-2020-3578

CVE Database · CVE-2020-3578

CVE-2020-3578

· MEDIUMModified

CVSS v3.1

5.3

EPSS

1.22%

Published

Oct 21, 2020

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access rule and access parts of the WebVPN portal that are supposed to be blocked. The vulnerability is due to insufficient validation of URLs when portal access rules are configured. An attacker could exploit this vulnerability by accessing certain URLs on the affected device.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Weaknesses (CWE)

CWE-863CWE-863

Affected Products (11)

cisco · firepower_threat_defense (up to 6.3.0.6)vulnerable

cisco · firepower_threat_defense (up to 6.4.0.10)vulnerable

cisco · firepower_threat_defense (up to 6.5.0.5)vulnerable

cisco · firepower_threat_defense (up to 6.6.1)vulnerable

cisco · adaptive_security_appliance_software (up to 9.6.4.45)vulnerable

cisco · adaptive_security_appliance_software (up to 9.8.4.26)vulnerable

cisco · adaptive_security_appliance_software (up to 9.9.2.80)vulnerable