CVE-2006-3073: Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptiv...

Description

Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptive Security Appliances (ASA), when in WebVPN clientless mode, allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) dnserror.html and (2) connecterror.html, aka bugid CSCsd81095 (VPN3k) and CSCse48193 (ASA). NOTE: the vendor states that "WebVPN full-network-access mode" is not affected, despite the claims by the original researcher.

Metrics

EPSS Probability

1.70%

74.3th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Cisco	Asa 5500	7.0
Cisco	Asa 5500	7.0\(4\)
Cisco	Asa 5500	7.0.4.3
Cisco	Vpn 3000 Concentrator Series Software	2.0
Cisco	Vpn 3000 Concentrator Series Software	2.5.2.a
Cisco	Vpn 3000 Concentrator Series Software	2.5.2.b
Cisco	Vpn 3000 Concentrator Series Software	2.5.2.c
Cisco	Vpn 3000 Concentrator Series Software	2.5.2.d
Cisco	Vpn 3000 Concentrator Series Software	2.5.2.f
Cisco	Vpn 3000 Concentrator Series Software	3.0
Cisco	Vpn 3000 Concentrator Series Software	3.0.3.a
Cisco	Vpn 3000 Concentrator Series Software	3.0.3.b
Cisco	Vpn 3000 Concentrator Series Software	3.0.4
Cisco	Vpn 3000 Concentrator Series Software	3.1
Cisco	Vpn 3000 Concentrator Series Software	3.1\(rel\)
Cisco	Vpn 3000 Concentrator Series Software	3.1.1
Cisco	Vpn 3000 Concentrator Series Software	3.1.2
Cisco	Vpn 3000 Concentrator Series Software	3.1.4
Cisco	Vpn 3000 Concentrator Series Software	3.5\(rel\)
Cisco	Vpn 3000 Concentrator Series Software	3.5.1
Cisco	Vpn 3000 Concentrator Series Software	3.5.2
Cisco	Vpn 3000 Concentrator Series Software	3.5.3
Cisco	Vpn 3000 Concentrator Series Software	3.5.4
Cisco	Vpn 3000 Concentrator Series Software	3.5.5
Cisco	Vpn 3000 Concentrator Series Software	3.6
Cisco	Vpn 3000 Concentrator Series Software	3.6.1
Cisco	Vpn 3000 Concentrator Series Software	3.6.7
Cisco	Vpn 3000 Concentrator Series Software	3.6.7d
Cisco	Vpn 3000 Concentrator Series Software	4.0
Cisco	Vpn 3000 Concentrator Series Software	4.0.1
Cisco	Vpn 3000 Concentrator Series Software	4.0.5.b
Cisco	Vpn 3000 Concentrator Series Software	4.1
Cisco	Vpn 3000 Concentrator Series Software	4.1.5.b
Cisco	Vpn 3000 Concentrator Series Software	4.1.7.a
Cisco	Vpn 3000 Concentrator Series Software	4.1.7.b
Cisco	Vpn 3000 Concentrator Series Software	4.7
Cisco	Vpn 3000 Concentrator Series Software	4.7.1
Cisco	Vpn 3000 Concentrator Series Software	4.7.1.f

References

Timeline

Published: Jun 19, 2006
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2006-3073?

Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptive Security Appliances (ASA), when in WebVPN clientless mode, allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) dnserror.html and (2) connecterror.html, aka bugid CSCsd81095 (VPN3k) and CSCse48193 (ASA). NOTE: the vendor states that "WebVPN full-network-access mode" is not affected, despite the claims by the original researcher.

How severe is CVE-2006-3073?

Severity scoring for CVE-2006-3073 is pending analysis. The EPSS model estimates a 1.70% probability of exploitation in the next 30 days.

How do I fix CVE-2006-3073?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.