Vulnslist

find the latest Cisco vulnerabilities

Cisco AnyConnect and Cisco Host Scan Web Launch Cross-Site Scripting Vulnerability

Cisco-SA-20150210-CVE-2014-8021 · Medium · Published · Updated

A vulnerability in Cisco AnyConnect Secure Mobility Client and Cisco Host Scan could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the client when AnyConnect is launched through the web interface. The vulnerability is due to insufficient validation of a URL used to build a path for an applet in a Document Object Model. An attacker could exploit this vulnerability by convincing a user to click a malicious URL. This vulnerability has been reported to Cisco by Jason Sinchak Cisco has confirmed the vulnerability in a security notice and released software updates. To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory ·CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Users should verify that unsolicited links are safe to follow.

For additional information about XSS attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectorshttp://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html .

Administrators are advised to monitor affected systems.

CVEsCVE-2014-8021
Cisco Bug IDsCSCup82990, CSCuq80149
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C
Product Names From Source
Cisco AnyConnect Secure Mobility Client, Cisco HostScan Engine, Cisco Secure Client

Related Products

Product CVE Evidence
Cisco Secure Client CVE-2014-8021 Cisco OpenVuln
Cisco HostScan Engine CVE-2014-8021 Cisco OpenVuln
Cisco AnyConnect Secure Mobility Client CVE-2014-8021 Cisco OpenVuln