CVE-2024-20382

Name of the Vulnerable Software and Affected Versions: Cisco Adaptive Security Appliance (ASA) Software (affected versions not specified) Cisco Firepower Threat Defense (FTD) Software (affected versions not specified)

Description: A vulnerability in the VPN web client services feature could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.

Recommendations: For Cisco Adaptive Security Appliance (ASA) Software, consider disabling the VPN web client services feature until a patch is available. For Cisco Firepower Threat Defense (FTD) Software, restrict access to the VPN web client services feature to minimize the risk of exploitation. As a temporary workaround, consider implementing input validation for all user-supplied input to application endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.