CVE-2017-6788
Description
The WebLaunch functionality of Cisco AnyConnect Secure Mobility Client Software contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the affected software. The vulnerability is due to insufficient input validation of some parameters that are passed to the WebLaunch function of the affected software. An attacker could exploit this vulnerability by convincing a user to access a malicious link or by intercepting a user request and injecting malicious code into the request. Cisco Bug IDs: CSCvf12055. Known Affected Releases: 98.89(40).
Risk Information
Base Score
6.1
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.232
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerability CVE-2017-12268,CVE-2017-6788 are affected in Cisco AnyConnect Secure Mobility Client For Windows 4.5 | Windows |
| Vulnerabilities CVE-2017-6788 are affected in Any Connect (Microsoft Store) 4.4(4027) | Windows |
| Vulnerabilities CVE-2017-6788,CVE-2018-0373 are affected in Any Connect (Microsoft Store) 4.5(58) | Windows |
| Cisco AnyConnect WebLaunch Cross-Site Scripting Vulnerability For Cisco AnyConnect Secure Mobility Client | NCM |
| Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability (CVE-2017-6788) | NCM |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-1705981 | Security Update for Cisco AnyConnect Secure Mobility Client 4.3(2034) |
| PATCH-338372 | Cisco AnyConnect Secure Mobility Client (4.10.08029) (Manual Upload Required) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234