Cross-Site Scripting Vulnerabilities in Cisco VPN 3000 Series and ASA 5500 Series
CVE-2006-3073

Currently unrated

Key Information:

Vendor: Cisco
Status: Asa 5500; Vpn 3000 Concentrator Series Software
Vendor: CVE Published:; 19 June 2006

Summary

Two separate cross-site scripting (XSS) vulnerabilities exist in the WebVPN feature of the Cisco VPN 3000 Series Concentrators and ASA 5500 Series Adaptive Security Appliances. These vulnerabilities allow remote attackers to execute arbitrary scripts or HTML by injecting malicious code through the 'domain' parameter in specific error pages (dnserror.html and connecterror.html) when the devices are in clientless WebVPN mode. It is important to note that devices operating in 'full-network-access mode' are not affected, according to vendor statements.

References

http://www.securityfocus.com/archive/1/436479/30/0/threaded

mailing-listx_refsource_BUGTRAQ

http://secunia.com/advisories/20644

third-party-advisoryx_refsource_SECUNIA

http://www.osvdb.org/26454

vdb-entryx_refsource_OSVDB

Timeline

Vulnerability published
Jun 19, 2006
Vulnerability Reserved
Jun 19, 2006