CVE-2009-1201

Name of the Vulnerable Software and Affected Versions Cisco Adaptive Security Appliances (ASA) versions prior to 8.0.4(34) Cisco Adaptive Security Appliances (ASA) versions prior to 8.1.2(25) Cisco Adaptive Security Appliances (ASA) versions prior to 8.2.1(3)

Description The issue allows remote attackers to bypass a DOM wrapper and conduct cross-site scripting (XSS) attacks by setting CSCO WebVPN['process'] to the name of a crafted function. This is related to an eval injection vulnerability in the csco wrap js function in /+CSCOL+/cte.js in WebVPN on the Cisco Adaptive Security Appliances (ASA) device. The vulnerability can be exploited when the device is configured to accept Clientless SSL VPN connections.

Recommendations For versions prior to 8.0.4(34), update to version 8.0.4(34) or later. For versions prior to 8.1.2(25), update to version 8.1.2(25) or later. For versions prior to 8.2.1(3), update to version 8.2.1(3) or later. As a temporary workaround, consider restricting access to the WebVPN feature until a patch is applied.