id: CVE-2020-3187 info: name: CVE-2020-3187 author: KareemSe1im severity: critical description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. reference: - https://twitter.com/aboul3la/status/1286809567989575685 - http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43 tags: cve,cve2020,cisco classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.10 cve-id: CVE-2020-3187 cwe-id: CWE-22 requests: - method: GET path: - "{{BaseURL}}/+CSCOE+/session_password.html" matchers-condition: and matchers: - type: word words: - webvpn - Webvpn part: header - type: status status: - 200