CVE-2020-3580: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

Multiple cross-site scripting (XSS) vulnerabilities were discovered in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, tracked as CVE-2020-3580. The vulnerability was initially disclosed on October 21, 2020, with a CVSS score of 6.1. The flaw affects specific AnyConnect and WebVPN configurations, allowing an unauthenticated, remote attacker to conduct cross-site scripting attacks against users of the web services interface (Tenable Blog, CVE Details).

The vulnerability stems from insufficient validation of user-supplied input by the web services interface of affected devices. The flaw specifically impacts certain configurations including AnyConnect Internet Key Exchange Version 2 (IKEv2) Remote Access with client services, AnyConnect SSL VPN, and Clientless SSL VPN when the webvpn feature is enabled. The vulnerability received a CVSS score of 6.1, indicating moderate severity (Tenable Blog).

A successful exploitation could allow an attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. The attacker would need to persuade a user of the interface to click a specially crafted link to execute the attack (CVE Details).

Cisco initially released patches in October 2020, but later determined the fix to be incomplete, requiring a second round of patches that were released on April 28, 2021. Organizations are strongly advised to prioritize patching CVE-2020-3580 to mitigate the risk associated with the flaw (Hacker News).

Following the publication of the PoC, security researchers actively discussed the vulnerability on social media platforms, with some pursuing bug bounties. Tenable and other security firms issued alerts about the active exploitation of the vulnerability in the wild (Tenable Blog).