Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Web Client Services Cross-Site Scripting Vulnerabilities

Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software have multiple vulnerabilities in their VPN web client services feature. These vulnerabilities could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser accessing an affected device. The vulnerabilities are due to improper validation of user-supplied input to application endpoints. An attacker could exploit these vulnerabilities by persuading a user to follow a malicious link that submits malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page. Cisco has released software updates to address these vulnerabilities, but there are no workarounds. The advisory is available at a specific link and is part of the October 2024 release of the Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication. The security impact rating is medium. The vulnerabilities are identified as CVE-2024-20341 and CVE-2024-20382. Users are advised to update their software to prevent potential attacks.