CVE-2022-20713: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2022-20713) was discovered in the VPN web client services component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The vulnerability was first published on August 10, 2022, and affects systems running ASA Software with Cisco AnyConnect VPN or Clientless SSL VPN enabled, and FTD Software with Cisco AnyConnect VPN enabled (Cisco Advisory).

The vulnerability stems from improper validation of input that is passed to the VPN web client services component before being returned to the browser. It has been assigned a CVSS base score of 4.3 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X. The vulnerability is classified under CWE-444 (Cisco Advisory).

A successful exploitation of this vulnerability could allow an attacker to reflect malicious input from the affected device to the browser and conduct browser-based attacks, including cross-site scripting attacks. However, the attacker cannot directly impact the affected device (Cisco Advisory).

Cisco has released software updates that address this vulnerability. No workarounds are available for this vulnerability. Devices with remote access VPN services configured to accept only AnyConnect Internet Key Exchange Version 2 Remote Access VPN with client services disabled are not affected by this vulnerability (Cisco Advisory).

The vulnerability was initially reported by James Kettle of Portswigger.net, with additional details provided by Valerio Brussani of NoZero (Cisco Advisory).