Recently there is no peace for the Cisco ASA Appliance.
After the vulnerability in the fragmentation of the IKE payload, a new zero-day afflicts the Cisco ASA VPN Portal through XSS attack.
Cisco ASA VPN is prone to a XSS on the password recovery page.
This vulnerability can be used by an attacker to capture other user’s credentials.
The password recovery form fails to filter properly the hidden inputs fields.
Here a simple Proof-Of-Concept to check the vulnerability: