CVE-2009-1203

high

Description

WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 does not properly distinguish its own login screen from the login screens it produces for third-party (1) FTP and (2) CIFS servers, which makes it easier for remote attackers to trick a user into sending WebVPN credentials to an arbitrary server via a URL associated with that server, aka Bug ID CSCsy80709.

References

http://www.vupen.com/english/advisories/2009/1713

http://www.securitytracker.com/id?1022457

http://www.securityfocus.com/archive/1/504516/100/0/threaded

http://secunia.com/advisories/35511

Details

Source: Mitre, NVD

Published: 2009-06-25

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Severity: High

EPSS

EPSS: 0.03501