Cisco Support Community
Community Member

Webvpn Login Page Cross-Site Scripting Vulerability

Hi This is a question about this vulnerability "Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability", I have Anyconnect and Webvpn enable on an interface, the running version is 8.4.4 and 8.4.5, the associated bug at this vulnerability is CSCun19025 "ASA WebVPN login page XSS vulnerability" webvpn enable outside anyconnect enable tunnel-group-list enable certificate-group-map Cert_Map_1 10 Employee_Backup_Group What could be the recommended action to take? Thanks for your help Regards

Hall of Fame Super Silver

Since there is no technical

Since there is no technical workaround available from Cisco (according to the BugSearch tool as of 3 April 2014), you will have to rely on mitigating the risk through user education. (The fixed releases noted are all Cisco internal - it looks like the upcoming 9.2 will include a fix but it may be several months before it is released.)

Since the PSIRT indicates the vulnerability is exploited by "convincing a user to access a malicious link", remind you users not to access unknown links - especially not while connected to your WebVPN.

Community Member

Hi MarvinThank for the

Hi Marvin

Thank for the information, what if I decided to upgrade, its is possible to upgrade from 8.4 to 9.1.5 ?, this because the bug said that prior to 8.4.7 and 9.1.4 could be affected, or what could be the best version to fix the bug?






CreatePlease to create content