Vulnerability CVE-2006-3073 - CERT Civis.Net

Vulnerability Name:

CVE-2006-3073 (CCN-27086)

Assigned:

2006-06-13

Published:

2006-06-13

Updated:

2018-10-30

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptive Security Appliances (ASA), when in WebVPN clientless mode, allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) dnserror.html and (2) connecterror.html, aka bugid CSCsd81095 (VPN3k) and CSCse48193 (ASA).
Note: the vendor states that "WebVPN full-network-access mode" is not affected, despite the claims by the original researcher.

CVSS v3 Severity:

3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: Full-Disclosure Mailing List, Thu Jun 08 2006 - 15:48:18 CDT
SSL VPNs and security

Source: MITRE
Type: CNA
CVE-2006-3073

Source: CCN
Type: SA20644
Cisco WebVPN Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: Vendor Advisory
20644

Source: CCN
Type: SECTRACK ID: 1016252
Cisco WebVPN Input Validation Hole in `dnserror.html` Permits Cross-Site Scripting Attacks

Source: SECTRACK
Type: Exploit
1016252

Source: CCN
Type: Cisco Security Response Advisory 2006 June 13 2200 UTC (GMT)
Cisco Security Response to: WebVPN Cross-Site Scripting Vulnerability

Source: CISCO
Type: UNKNOWN
20060613 WebVPN Cross-Site Scripting Vulnerability

Source: OSVDB
Type: UNKNOWN
26453

Source: OSVDB
Type: UNKNOWN
26454

Source: CCN
Type: OSVDB ID: 26453
Cisco WebVPN Clientless Mode dnserror.html domain Parameter XSS

Source: CCN
Type: OSVDB ID: 26454
Cisco WebVPN Clientless Mode connecterror.html XSS

Source: BUGTRAQ
Type: UNKNOWN
20060608 SSL VPNs and security

Source: BID
Type: UNKNOWN
18419

Source: CCN
Type: BID-18419
Cisco VPN3K/ASA WebVPN Clientless Mode Cross-Site Scripting Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2006-2331

Source: XF
Type: UNKNOWN
cisco-webvpn-xss(27086)

Source: XF
Type: UNKNOWN
cisco-webvpn-xss(27086)

Vulnerable Configuration:

Configuration 1:

cpe:/h:cisco:asa_5500:7.0:*:*:*:*:*:*:*

OR cpe:/h:cisco:asa_5500:7.0(4):*:*:*:*:*:*:*

OR cpe:/h:cisco:asa_5500:7.0.4.3:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:2.0:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:2.5.2.a:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:2.5.2.b:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:2.5.2.c:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:2.5.2.d:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:2.5.2.f:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.0:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.0.3.a:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.0.3.b:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.0.4:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.1:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.1(rel):*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.1.1:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.1.2:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.1.4:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.5(rel):*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.5.1:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.5.2:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.5.3:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.5.4:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.5.5:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.6:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.6.1:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.6.7:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:3.6.7d:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.0:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.0.1:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.0.5.b:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.1:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.1.5.b:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.1.7.a:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.1.7.b:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.7:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.7.1:*:*:*:*:*:*:*

OR cpe:/o:cisco:vpn_3000_concentrator_series_software:4.7.1.f:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/h:cisco:vpn_3000_concentrator:*:*:*:*:*:*:*:*

OR cpe:/h:cisco:asa_5500:*:*:*:*:*:*:*:*

Denotes that component is vulnerable