Cisco ASA and Cisco FTD - Cross-Site Scripting (CVE-2020-3580)

Cisco ASA device is affected by a Cross-Site Scripting (XSS) vulnerability in the /+CSCOE+/saml/sp/acs endpoint. The root cause of this vulnerability is the lack of validation in user-supplied input. An attacker can exploit this vulnerability to inject malicious JavaScript code in the URI.

The risk exists that a remote unauthenticated attacker could exploit this vulnerability by sending malicious URLs to Cisco ASA users and gaining access to sensitive, browser-based information.

Applying the latest Cisco ASA patch will fix this vulnerability.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe

https://nvd.nist.gov/vuln/detail/CVE-2020-3580