CVE-2006-3073: XSS
First published: Mon Jun 19 2006(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptive Security Appliances (ASA), when in WebVPN clientless mode, allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) dnserror.html and (2) connecterror.html, aka bugid CSCsd81095 (VPN3k) and CSCse48193 (ASA). NOTE: the vendor states that "WebVPN full-network-access mode" is not affected, despite the claims by the original researcher.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco ASA 5500 CSC-SSM | =7.0 | |
| Cisco ASA 5500 CSC-SSM | =7.0\(4\) | |
| Cisco ASA 5500 CSC-SSM | =7.0.4.3 | |
| Cisco VPN 3000 concentrator series software | =2.0 | |
| Cisco VPN 3000 concentrator series software | =2.5.2.a | |
| Cisco VPN 3000 concentrator series software | =2.5.2.b | |
| Cisco VPN 3000 concentrator series software | =2.5.2.c | |
| Cisco VPN 3000 concentrator series software | =2.5.2.d | |
| Cisco VPN 3000 concentrator series software | =2.5.2.f | |
| Cisco VPN 3000 concentrator series software | =3.0 | |
| Cisco VPN 3000 concentrator series software | =3.0.3.a | |
| Cisco VPN 3000 concentrator series software | =3.0.3.b | |
| Cisco VPN 3000 concentrator series software | =3.0.4 | |
| Cisco VPN 3000 concentrator series software | =3.1 | |
| Cisco VPN 3000 concentrator series software | =3.1\(rel\) | |
| Cisco VPN 3000 concentrator series software | =3.1.1 | |
| Cisco VPN 3000 concentrator series software | =3.1.2 | |
| Cisco VPN 3000 concentrator series software | =3.1.4 | |
| Cisco VPN 3000 concentrator series software | =3.5\(rel\) | |
| Cisco VPN 3000 concentrator series software | =3.5.1 | |
| Cisco VPN 3000 concentrator series software | =3.5.2 | |
| Cisco VPN 3000 concentrator series software | =3.5.3 | |
| Cisco VPN 3000 concentrator series software | =3.5.4 | |
| Cisco VPN 3000 concentrator series software | =3.5.5 | |
| Cisco VPN 3000 concentrator series software | =3.6 | |
| Cisco VPN 3000 concentrator series software | =3.6.1 | |
| Cisco VPN 3000 concentrator series software | =3.6.7 | |
| Cisco VPN 3000 concentrator series software | =3.6.7d | |
| Cisco VPN 3000 concentrator series software | =4.0 | |
| Cisco VPN 3000 concentrator series software | =4.0.1 | |
| Cisco VPN 3000 concentrator series software | =4.0.5.b | |
| Cisco VPN 3000 concentrator series software | =4.1 | |
| Cisco VPN 3000 concentrator series software | =4.1.5.b | |
| Cisco VPN 3000 concentrator series software | =4.1.7.a | |
| Cisco VPN 3000 concentrator series software | =4.1.7.b | |
| Cisco VPN 3000 concentrator series software | =4.7 | |
| Cisco VPN 3000 concentrator series software | =4.7.1 | |
| Cisco VPN 3000 concentrator series software | =4.7.1.f |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/archive/1/436479/30/0/threaded
- http://www.cisco.com/warp/public/707/cisco-sr-20060613-webvpn-xss.shtml
- http://www.securityfocus.com/bid/18419
- http://securitytracker.com/id?1016252
- http://secunia.com/advisories/20644
- http://www.osvdb.org/26453
- http://www.osvdb.org/26454
- http://www.vupen.com/english/advisories/2006/2331
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27086
Frequently Asked Questions
What is the severity of CVE-2006-3073?
CVE-2006-3073 has a severity rating of medium due to its potential to facilitate cross-site scripting attacks.
How do I fix CVE-2006-3073?
To fix CVE-2006-3073, update the affected Cisco VPN 3000 Series Concentrators and ASA 5500 Series to the latest software version.
What systems are affected by CVE-2006-3073?
CVE-2006-3073 affects Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series in WebVPN clientless mode.
Can CVE-2006-3073 lead to data breaches?
Yes, CVE-2006-3073 can lead to data breaches if attackers successfully exploit the XSS vulnerabilities.
What information can be leaked due to CVE-2006-3073?
Exploitation of CVE-2006-3073 may allow attackers to inject arbitrary scripts, potentially leading to the leakage of sensitive user data.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/cisco
- product/asa 5500
- canonical/cisco asa 5500
- product/vpn 3000 concentrator series software
- canonical/cisco vpn 3000 concentrator series software
- canonical/cisco asa 5500 csc-ssm
- version/cisco asa 5500 csc-ssm/7.0
- version/cisco asa 5500 csc-ssm/7.0\(4\)
- version/cisco asa 5500 csc-ssm/7.0.4.3
- version/cisco vpn 3000 concentrator series software/2.0
- version/cisco vpn 3000 concentrator series software/2.5.2.a
- version/cisco vpn 3000 concentrator series software/2.5.2.b
- version/cisco vpn 3000 concentrator series software/2.5.2.c
- version/cisco vpn 3000 concentrator series software/2.5.2.d
- version/cisco vpn 3000 concentrator series software/2.5.2.f
- version/cisco vpn 3000 concentrator series software/3.0
- version/cisco vpn 3000 concentrator series software/3.0.3.a
- version/cisco vpn 3000 concentrator series software/3.0.3.b
- version/cisco vpn 3000 concentrator series software/3.0.4
- version/cisco vpn 3000 concentrator series software/3.1
- version/cisco vpn 3000 concentrator series software/3.1\(rel\)
- version/cisco vpn 3000 concentrator series software/3.1.1
- version/cisco vpn 3000 concentrator series software/3.1.2
- version/cisco vpn 3000 concentrator series software/3.1.4
- version/cisco vpn 3000 concentrator series software/3.5\(rel\)
- version/cisco vpn 3000 concentrator series software/3.5.1
- version/cisco vpn 3000 concentrator series software/3.5.2
- version/cisco vpn 3000 concentrator series software/3.5.3
- version/cisco vpn 3000 concentrator series software/3.5.4
- version/cisco vpn 3000 concentrator series software/3.5.5
- version/cisco vpn 3000 concentrator series software/3.6
- version/cisco vpn 3000 concentrator series software/3.6.1
- version/cisco vpn 3000 concentrator series software/3.6.7
- version/cisco vpn 3000 concentrator series software/3.6.7d
- version/cisco vpn 3000 concentrator series software/4.0
- version/cisco vpn 3000 concentrator series software/4.0.1
- version/cisco vpn 3000 concentrator series software/4.0.5.b
- version/cisco vpn 3000 concentrator series software/4.1
- version/cisco vpn 3000 concentrator series software/4.1.5.b
- version/cisco vpn 3000 concentrator series software/4.1.7.a
- version/cisco vpn 3000 concentrator series software/4.1.7.b
- version/cisco vpn 3000 concentrator series software/4.7
- version/cisco vpn 3000 concentrator series software/4.7.1
- version/cisco vpn 3000 concentrator series software/4.7.1.f