CVE-2014-2120 : Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adapt

Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025.

Published 2014-03-19 01:15:04

Updated 2025-04-12 10:46:41

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2014-2120

Cisco » Adaptive Security Appliance Software » Version: N/A
cpe:2.3:o:cisco:adaptive_security_appliance_software:-:*:*:*:*:*:*:*
Matching versions

CVE-2014-2120 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability

CISA required action:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA description:

Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.

Notes:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CVE-2014-2120 ; https://nvd.nist.gov/vuln/detail/CVE-2014-2120

Added on 2024-11-12 Action due date 2024-12-03

Exploit prediction scoring system (EPSS) score for CVE-2014-2120

EPSS FAQ

76.82%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-2120

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-11-13
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST	2024-11-14
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2014-2120

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2014-2120

http://www.securitytracker.com/id/1029935

Cisco ASA Input Validation Hole in WebVPN Interface Permits Cross-Site Scripting Attacks - SecurityTracker
Broken Link;Third Party Advisory;VDB Entry
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120

Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability
Broken Link;Vendor Advisory
http://www.securityfocus.com/bid/66290

Cisco Adaptive Security Appliance CVE-2014-2120 Cross Site Scripting Vulnerability
Broken Link;Third Party Advisory;VDB Entry