CVE-2020-3583

Name of the Vulnerable Software and Affected Versions: Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified)

Description: The issue is related to insufficient validation of user-supplied input by the web services interface of affected devices, which could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface. An attacker could exploit this by persuading a user to click a crafted link, potentially allowing the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. This affects only specific AnyConnect and WebVPN configurations.

Recommendations: For Cisco Adaptive Security Appliance (ASA) Software, update to a version that includes the fix for this issue. For Cisco Firepower Threat Defense (FTD) Software, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the web services interface to minimize the risk of exploitation. Avoid using the interface until the issue is resolved, especially in configurations that include AnyConnect and WebVPN.