CVE-2010-0440

Name of the Vulnerable Software and Affected Versions Cisco Secure Desktop versions prior to 3.5 Cisco ASA appliance versions prior to 8.2(1), 8.1(2.7), and 8.0(5)

Description The issue allows remote attackers to inject arbitrary web script or HTML via a crafted POST parameter. This is due to improper handling by an eval statement in binary/mainv.js that writes to start.html. The vulnerability could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.

Recommendations For Cisco Secure Desktop versions prior to 3.5, update to version 3.5 or later. For Cisco ASA appliance versions prior to 8.2(1), update to version 8.2(1) or later. For Cisco ASA appliance versions prior to 8.1(2.7), update to version 8.1(2.7) or later. For Cisco ASA appliance versions prior to 8.0(5), update to version 8.0(5) or later. As a temporary workaround, consider restricting access to the binary/mainv.js file to minimize the risk of exploitation.