A vulnerability in the VPN web client services component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of input that is passed to the VPN web client services component before being returned to the browser that is in use. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious requests to a device that is running Cisco ASA Software or Cisco FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting attacks. The attacker could not directly impact the affected device.
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Firepower_threat_defense | Cisco | 6.2.3 (including) | 6.2.3 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.1 (including) | 6.2.3.1 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.2 (including) | 6.2.3.2 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.3 (including) | 6.2.3.3 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.4 (including) | 6.2.3.4 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.5 (including) | 6.2.3.5 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.6 (including) | 6.2.3.6 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.7 (including) | 6.2.3.7 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.8 (including) | 6.2.3.8 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.9 (including) | 6.2.3.9 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.10 (including) | 6.2.3.10 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.11 (including) | 6.2.3.11 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.12 (including) | 6.2.3.12 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.13 (including) | 6.2.3.13 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.14 (including) | 6.2.3.14 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.15 (including) | 6.2.3.15 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.16 (including) | 6.2.3.16 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.17 (including) | 6.2.3.17 (including) |
| Firepower_threat_defense | Cisco | 6.2.3.18 (including) | 6.2.3.18 (including) |
| Firepower_threat_defense | Cisco | 6.4.0 (including) | 6.4.0 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.1 (including) | 6.4.0.1 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.2 (including) | 6.4.0.2 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.3 (including) | 6.4.0.3 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.4 (including) | 6.4.0.4 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.5 (including) | 6.4.0.5 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.6 (including) | 6.4.0.6 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.7 (including) | 6.4.0.7 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.8 (including) | 6.4.0.8 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.9 (including) | 6.4.0.9 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.10 (including) | 6.4.0.10 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.11 (including) | 6.4.0.11 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.12 (including) | 6.4.0.12 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.13 (including) | 6.4.0.13 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.14 (including) | 6.4.0.14 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.15 (including) | 6.4.0.15 (including) |
| Firepower_threat_defense | Cisco | 6.4.0.16 (including) | 6.4.0.16 (including) |
| Firepower_threat_defense | Cisco | 6.6.0 (including) | 6.6.0 (including) |
| Firepower_threat_defense | Cisco | 6.6.0.1 (including) | 6.6.0.1 (including) |
| Firepower_threat_defense | Cisco | 6.6.1 (including) | 6.6.1 (including) |
| Firepower_threat_defense | Cisco | 6.6.3 (including) | 6.6.3 (including) |
| Firepower_threat_defense | Cisco | 6.6.4 (including) | 6.6.4 (including) |
| Firepower_threat_defense | Cisco | 6.6.5 (including) | 6.6.5 (including) |
| Firepower_threat_defense | Cisco | 6.6.5.1 (including) | 6.6.5.1 (including) |
| Firepower_threat_defense | Cisco | 6.6.5.2 (including) | 6.6.5.2 (including) |
| Firepower_threat_defense | Cisco | 6.6.7 (including) | 6.6.7 (including) |
| Firepower_threat_defense | Cisco | 6.6.7.1 (including) | 6.6.7.1 (including) |
| Firepower_threat_defense | Cisco | 6.7.0 (including) | 6.7.0 (including) |
| Firepower_threat_defense | Cisco | 6.7.0.1 (including) | 6.7.0.1 (including) |
| Firepower_threat_defense | Cisco | 6.7.0.2 (including) | 6.7.0.2 (including) |
| Firepower_threat_defense | Cisco | 6.7.0.3 (including) | 6.7.0.3 (including) |
| Firepower_threat_defense | Cisco | 7.0.0 (including) | 7.0.0 (including) |
| Firepower_threat_defense | Cisco | 7.0.0.1 (including) | 7.0.0.1 (including) |
| Firepower_threat_defense | Cisco | 7.0.1 (including) | 7.0.1 (including) |
| Firepower_threat_defense | Cisco | 7.0.1.1 (including) | 7.0.1.1 (including) |
| Firepower_threat_defense | Cisco | 7.0.2 (including) | 7.0.2 (including) |
| Firepower_threat_defense | Cisco | 7.0.2.1 (including) | 7.0.2.1 (including) |
| Firepower_threat_defense | Cisco | 7.0.3 (including) | 7.0.3 (including) |
| Firepower_threat_defense | Cisco | 7.0.4 (including) | 7.0.4 (including) |
| Firepower_threat_defense | Cisco | 7.0.5 (including) | 7.0.5 (including) |
| Firepower_threat_defense | Cisco | 7.1.0 (including) | 7.1.0 (including) |
| Firepower_threat_defense | Cisco | 7.1.0.1 (including) | 7.1.0.1 (including) |
| Firepower_threat_defense | Cisco | 7.1.0.2 (including) | 7.1.0.2 (including) |
| Firepower_threat_defense | Cisco | 7.1.0.3 (including) | 7.1.0.3 (including) |
| Firepower_threat_defense | Cisco | 7.2.0 (including) | 7.2.0 (including) |
| Firepower_threat_defense | Cisco | 7.2.0.1 (including) | 7.2.0.1 (including) |
| Firepower_threat_defense | Cisco | 7.2.1 (including) | 7.2.1 (including) |
| Firepower_threat_defense | Cisco | 7.2.2 (including) | 7.2.2 (including) |
| Firepower_threat_defense | Cisco | 7.2.3 (including) | 7.2.3 (including) |
| Firepower_threat_defense | Cisco | 7.3.0 (including) | 7.3.0 (including) |
| Firepower_threat_defense | Cisco | 7.3.1 (including) | 7.3.1 (including) |
| Firepower_threat_defense | Cisco | 7.3.1.1 (including) | 7.3.1.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.1 (including) | 9.8.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.1.5 (including) | 9.8.1.5 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.1.7 (including) | 9.8.1.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2 (including) | 9.8.2 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.8 (including) | 9.8.2.8 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.14 (including) | 9.8.2.14 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.15 (including) | 9.8.2.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.17 (including) | 9.8.2.17 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.20 (including) | 9.8.2.20 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.24 (including) | 9.8.2.24 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.26 (including) | 9.8.2.26 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.28 (including) | 9.8.2.28 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.33 (including) | 9.8.2.33 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.35 (including) | 9.8.2.35 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.2.38 (including) | 9.8.2.38 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3 (including) | 9.8.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3.8 (including) | 9.8.3.8 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3.11 (including) | 9.8.3.11 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3.14 (including) | 9.8.3.14 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3.16 (including) | 9.8.3.16 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3.18 (including) | 9.8.3.18 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3.21 (including) | 9.8.3.21 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3.26 (including) | 9.8.3.26 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.3.29 (including) | 9.8.3.29 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4 (including) | 9.8.4 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.3 (including) | 9.8.4.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.7 (including) | 9.8.4.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.8 (including) | 9.8.4.8 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.10 (including) | 9.8.4.10 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.12 (including) | 9.8.4.12 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.15 (including) | 9.8.4.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.17 (including) | 9.8.4.17 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.20 (including) | 9.8.4.20 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.22 (including) | 9.8.4.22 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.25 (including) | 9.8.4.25 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.26 (including) | 9.8.4.26 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.29 (including) | 9.8.4.29 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.32 (including) | 9.8.4.32 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.33 (including) | 9.8.4.33 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.34 (including) | 9.8.4.34 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.35 (including) | 9.8.4.35 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.39 (including) | 9.8.4.39 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.40 (including) | 9.8.4.40 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.41 (including) | 9.8.4.41 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.43 (including) | 9.8.4.43 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.44 (including) | 9.8.4.44 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.45 (including) | 9.8.4.45 (including) |
| Adaptive_security_appliance_software | Cisco | 9.8.4.46 (including) | 9.8.4.46 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.1 (including) | 9.12.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.1.2 (including) | 9.12.1.2 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.1.3 (including) | 9.12.1.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.2 (including) | 9.12.2 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.2.1 (including) | 9.12.2.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.2.4 (including) | 9.12.2.4 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.2.5 (including) | 9.12.2.5 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.2.9 (including) | 9.12.2.9 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.3 (including) | 9.12.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.3.2 (including) | 9.12.3.2 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.3.7 (including) | 9.12.3.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.3.9 (including) | 9.12.3.9 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.3.12 (including) | 9.12.3.12 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4 (including) | 9.12.4 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.2 (including) | 9.12.4.2 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.4 (including) | 9.12.4.4 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.7 (including) | 9.12.4.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.8 (including) | 9.12.4.8 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.10 (including) | 9.12.4.10 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.13 (including) | 9.12.4.13 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.18 (including) | 9.12.4.18 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.24 (including) | 9.12.4.24 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.26 (including) | 9.12.4.26 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.29 (including) | 9.12.4.29 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.30 (including) | 9.12.4.30 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.35 (including) | 9.12.4.35 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.37 (including) | 9.12.4.37 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.38 (including) | 9.12.4.38 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.39 (including) | 9.12.4.39 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.40 (including) | 9.12.4.40 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.41 (including) | 9.12.4.41 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.47 (including) | 9.12.4.47 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.48 (including) | 9.12.4.48 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.50 (including) | 9.12.4.50 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.52 (including) | 9.12.4.52 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.54 (including) | 9.12.4.54 (including) |
| Adaptive_security_appliance_software | Cisco | 9.12.4.55 (including) | 9.12.4.55 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.1 (including) | 9.14.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.1.6 (including) | 9.14.1.6 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.1.10 (including) | 9.14.1.10 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.1.15 (including) | 9.14.1.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.1.19 (including) | 9.14.1.19 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.1.30 (including) | 9.14.1.30 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.2 (including) | 9.14.2 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.2.4 (including) | 9.14.2.4 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.2.8 (including) | 9.14.2.8 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.2.13 (including) | 9.14.2.13 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.2.15 (including) | 9.14.2.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.3 (including) | 9.14.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.3.1 (including) | 9.14.3.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.3.9 (including) | 9.14.3.9 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.3.11 (including) | 9.14.3.11 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.3.13 (including) | 9.14.3.13 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.3.15 (including) | 9.14.3.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.3.18 (including) | 9.14.3.18 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.4 (including) | 9.14.4 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.4.6 (including) | 9.14.4.6 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.4.7 (including) | 9.14.4.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.4.12 (including) | 9.14.4.12 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.4.13 (including) | 9.14.4.13 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.4.14 (including) | 9.14.4.14 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.4.15 (including) | 9.14.4.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.14.4.17 (including) | 9.14.4.17 (including) |
| Adaptive_security_appliance_software | Cisco | 9.15.1 (including) | 9.15.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.15.1.1 (including) | 9.15.1.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.15.1.7 (including) | 9.15.1.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.15.1.10 (including) | 9.15.1.10 (including) |
| Adaptive_security_appliance_software | Cisco | 9.15.1.15 (including) | 9.15.1.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.15.1.16 (including) | 9.15.1.16 (including) |
| Adaptive_security_appliance_software | Cisco | 9.15.1.17 (including) | 9.15.1.17 (including) |
| Adaptive_security_appliance_software | Cisco | 9.15.1.21 (including) | 9.15.1.21 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.1 (including) | 9.16.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.1.28 (including) | 9.16.1.28 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.2 (including) | 9.16.2 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.2.3 (including) | 9.16.2.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.2.7 (including) | 9.16.2.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.2.11 (including) | 9.16.2.11 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.2.13 (including) | 9.16.2.13 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.2.14 (including) | 9.16.2.14 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.3 (including) | 9.16.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.3.3 (including) | 9.16.3.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.3.14 (including) | 9.16.3.14 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.3.15 (including) | 9.16.3.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.3.19 (including) | 9.16.3.19 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.3.23 (including) | 9.16.3.23 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.4 (including) | 9.16.4 (including) |
| Adaptive_security_appliance_software | Cisco | 9.16.4.9 (including) | 9.16.4.9 (including) |
| Adaptive_security_appliance_software | Cisco | 9.17.1 (including) | 9.17.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.17.1.7 (including) | 9.17.1.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.17.1.9 (including) | 9.17.1.9 (including) |
| Adaptive_security_appliance_software | Cisco | 9.17.1.10 (including) | 9.17.1.10 (including) |
| Adaptive_security_appliance_software | Cisco | 9.17.1.11 (including) | 9.17.1.11 (including) |
| Adaptive_security_appliance_software | Cisco | 9.17.1.13 (including) | 9.17.1.13 (including) |
| Adaptive_security_appliance_software | Cisco | 9.17.1.15 (including) | 9.17.1.15 (including) |
| Adaptive_security_appliance_software | Cisco | 9.17.1.20 (including) | 9.17.1.20 (including) |
| Adaptive_security_appliance_software | Cisco | 9.18.1 (including) | 9.18.1 (including) |
| Adaptive_security_appliance_software | Cisco | 9.18.1.3 (including) | 9.18.1.3 (including) |
| Adaptive_security_appliance_software | Cisco | 9.18.2 (including) | 9.18.2 (including) |
| Adaptive_security_appliance_software | Cisco | 9.18.2.5 (including) | 9.18.2.5 (including) |
| Adaptive_security_appliance_software | Cisco | 9.18.2.7 (including) | 9.18.2.7 (including) |
| Adaptive_security_appliance_software | Cisco | 9.18.2.8 (including) | 9.18.2.8 (including) |
| Adaptive_security_appliance_software | Cisco | 9.19.1 (including) | 9.19.1 (including) |
HTTP requests or responses (“messages”) can be malformed or unexpected in ways that cause web servers or clients to interpret the messages in different ways than intermediary HTTP agents such as load balancers, reverse proxies, web caching proxies, application firewalls, etc. For example, an adversary may be able to add duplicate or different header fields that a client or server might interpret as one set of messages, whereas the intermediary might interpret the same sequence of bytes as a different set of messages. For example, discrepancies can arise in how to handle duplicate headers like two Transfer-encoding (TE) or two Content-length (CL), or the malicious HTTP message will have different headers for TE and CL. The inconsistent parsing and interpretation of messages can allow the adversary to “smuggle” a message to the client/server without the intermediary being aware of it. This weakness is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.