Common Vulnerabilities and Exposures

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco Webex Player releases 41.5 and later contained the fix for this vulnerability. Releases are available from the Cisco Webex Video Recording page or from corresponding Cisco Webex Meetings sites.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities.
FTD Software

Cisco FTD Software Release 
First Fixed Release for This Vulnerability
Recommended Fixed Release for All Vulnerabilities Described in the Bundle of Advisories

Earlier than 6.2.21
Not vulnerable.
Migrate to a fixed release.

6.2.2
Not vulnerable.
Migrate to a fixed release.

6.2.3
Not vulnerable.
Migrate to a fixed release.

6.3.0
Migrate to a fixed release.
Migrate to a fixed release.

6.4.0
Not vulnerable.
6.4.0.12 (May 2021)

6.5.0
Not vulnerable.
Migrate to a fixed release.

6.6.0
Not vulnerable.
6.6.42

6.7.0
Not vulnerable.
6.7.0.2

1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as releases 6.2.0 and 6.2.1, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.
2. The First Fixed Release for the 6.6.0 code train was 6.6.3; however, due to upgrade issues associated with CSCvx86231 the recommended release is 6.6.4.
To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following:

For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.

The following table lists Cisco products that are affected by the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.

Product
Cisco Bug ID
Fixed Release Availability

Cisco Adaptive Security Appliance (ASA) SoftwareAffected features: Clientless WebVPN and AnyConnect VPN (only when SSO is enabled)
CSCvx73164
9.8.4.38 (Jun 2021)9.12.4.24 (available)9.14.3 (Jun 2021)9.15.1.15 (available)9.16.1.3 (available)

Cisco Content Security Management Appliance (SMA)Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73156
13.8.1 (available)14.1.0 (Jul 2021)

Cisco Email Security Appliance (ESA)Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73154
14.0.0-692 GD (available)

Cisco FXOS Software
CSCvx73164
2.2.2.149 (Jul 2021)2.3.1.216 (Jul 2021)2.6.1.230 (Jul 2021)2.7.1.143 (available)2.8.1.152 (available)2.9.1.143 (available)

Cisco Web Security Appliance (WSA)

CSCvx73157
14.0.1 (Sep 2021)

Cisco Firepower Threat Defense (FTD) SoftwareAffected feature: AnyConnect VPN (only when SSO is enabled)1

CSCvx73164
6.4.0.12 (available)6.6.5 (Jul 2021)6.7.0.2 (available)7.0.0 (available)

Cisco Prime Collaboration Assurance
CSCvx73162
12.1 SP4 ES (TBD)

1. The AnyConnect VPN is configurable only through FlexConfig for Cisco FTD releases earlier than Release 6.7.
The Cisco software releases listed in the following table have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.

Cisco Software
End-of-Life Releases

ASA Software
9.7 and earlier9.99.109.13

FXOS Software
2.4.12.7.1

FTD Software
6.0.1 and earlier 6.2.06.2.16.5

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products and services:
Network and Content Security Devices

Cisco AMP Virtual Private Cloud Appliance

Network Management and Provisioning

Cisco Prime Collaboration Provisioning

Unified Computing

Cisco UCS B-Series M5 Blade Servers
Cisco UCS C-Series M5 Rack Servers – Managed

Video, Streaming, TelePresence, and Transcoding Devices

Cisco Video Surveillance Media Server
Cisco Video Surveillance Operations Manager
Cisco Vision Dynamic Signage Director

The vulnerabilities are dependent on one another; exploitation of one of the vulnerabilities is required to exploit the other vulnerability.
Details about the vulnerabilities are as follows:

Cisco Finesse and Cisco Virtualized Voice Browser OpenSocial Gadget Editor Unauthenticated Access Vulnerability
A vulnerability in the web management interface of Cisco Finesse and Cisco Virtualized Voice Browser could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials.
The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to obtain potentially confidential information and create arbitrary XML files.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVE ID: CVE-2021-1246Bug ID(s): CSCvs52916, CSCvw27957Security Impact Rating (SIR): MediumCVSS Base Score: 6.5CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Cisco Finesse OpenSocial Gadget Editor Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVE ID: CVE-2021-1245Bug ID(s): CSCvs52916Security Impact Rating (SIR): MediumCVSS Base Score: 6.1CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N