Skip to content

A vulnerability in the Clientless SSL VPN (WebVPN) of...

Moderate severity Unreviewed Published May 24, 2022 to the GitHub Advisory Database • Updated Aug 16, 2023

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

A vulnerability in the Clientless SSL VPN (WebVPN) of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to inject arbitrary HTTP headers in the responses of the affected system. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to conduct a CRLF injection attack, adding arbitrary HTTP headers in the responses of the system and redirecting the user to arbitrary websites.

References

Published by the National Vulnerability Database Oct 21, 2020
Published to the GitHub Advisory Database May 24, 2022
Last updated Aug 16, 2023

Severity

Moderate
4.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Weaknesses

CVE ID

CVE-2020-3561

GHSA ID

GHSA-pm23-qjx3-gg3f

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Checking history
See something to contribute? Suggest improvements for this vulnerability.