CVE-2022-20713

Name of the Vulnerable Software and Affected Versions Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified)

Description The issue is related to improper validation of input that is passed to the VPN web client services component before being returned to the browser that is in use. This could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. An attacker could exploit this by persuading a user to visit a website that is designed to pass malicious requests to a device that is running Cisco ASA Software or Cisco FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting attacks.

Recommendations For Cisco Adaptive Security Appliance (ASA) Software, consider disabling the Clientless SSL VPN feature until a patch is available. For Cisco Firepower Threat Defense (FTD) Software, restrict access to the VPN web client services component to minimize the risk of exploitation. Avoid using web services endpoints that support VPN features until the issue is resolved. As a temporary workaround, consider configuring the device to validate input more strictly before passing it to the browser. At the moment, there is no information about a newer version that contains a fix for this vulnerability.