CVE-2009-1220
Description
Cross-site scripting (XSS) vulnerability in +webvpn+/index.html in WebVPN on the Cisco Adaptive Security Appliances (ASA) 5520 with software 7.2(4)30 and earlier 7.2 versions including 7.2(2)22, and 8.0(4)28 and earlier 8.0 versions, when clientless mode is enabled, allows remote attackers to inject arbitrary web script or HTML via the Host HTTP header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Cisco ASA WebVPN clientless mode allows remote attackers to inject arbitrary web script via the Host HTTP header.
Vulnerability
Cross-site scripting (XSS) vulnerability exists in the +webvpn+/index.html page of WebVPN on Cisco Adaptive Security Appliances (ASA) 5520 running software versions 7.2(4)30 and earlier 7.2 versions (including 7.2(2)22), and 8.0(4)28 and earlier 8.0 versions. The vulnerability is present when clientless mode is enabled. The issue allows injection of arbitrary web script or HTML via the Host HTTP header. [1]
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the affected device with a malicious Host header. No authentication is required as the WebVPN interface is accessible remotely. The attacker only needs network access to the ASA's WebVPN service. The malicious script or HTML is then reflected in the response, executing in the context of the victim's browser session.
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser, leading to potential information disclosure, session hijacking, or other client-side attacks. The impact is limited to the browser session of the user accessing the WebVPN portal.
Mitigation
No specific fix or patched version is disclosed in the available reference [1]. Given the age of this CVE (2009), affected devices may be end-of-life or require upgrading to a later software version that addresses the issue. Users should consult Cisco's current advisory for any updates.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:h:cisco:adaptive_security_appliance:5520:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios:7.2\(2\)22:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.securityfocus.com/bid/34307nvdExploit
- archives.neohapsis.com/archives/fulldisclosure/2009-03/0478.htmlnvd
- tools.cisco.com/security/center/viewAlert.xnvd
- www.securityfocus.com/archive/1/502313/100/0/threadednvd
- www.securityfocus.com/archive/1/502932nvd
- www.securitytracker.com/idnvd
- www.vupen.com/english/advisories/2009/1169nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/49528nvd
News mentions
0No linked articles in our index yet.