Arbitrary File Deletion (CVE-2020-3187) on ████████

Hello team, I hope you're doing well, healthy & wealthy. I found an Arbitrary File Deletion (CVE-2020-3187) vulnerability on https://██████████/+CSCOE+/session_password.html that allows the Arbitrary File Deletion. ## References - https://twitter.com/aboul3la/status/1286809567989575685 - http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43 Arbitrary File Deletion Reference: - https://video.twimg.com/ext_tw_video/1286808440271183873/pu/vid/1270x720/8tccA2VgHV9TDtW4.mp4 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.10 cve-id: CVE-2020-3187 cwe-id: CWE-22 ## Impact A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. Best regards @pirneci ## System Host(s) █████ ## Affected Product(s) and Version(s) Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software ## CVE Numbers CVE-2020-3187 ## Steps to Reproduce Here is the PoC. If you can see "webvpn:" cookie, then you can delete any arbitrary file. I didn't do it. It's enough to prove the vulnerability. **PoC** ``` GET /+CSCOE+/session_password.html HTTP/1.1 Host: █████ Sec-Ch-Ua: "Chromium";v="97", " Not;A Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ``` ████████ ## Suggested Mitigation/Remediation Actions Please upgrade to the latest version.