CVE-2026-20102 - Vulnerability Details

- Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SAML Reflected Cross-Site Scripting Vulnerability

Description

A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the SAML feature and access sensitive, browser-based information.

This vulnerability is due to insufficient input validation of multiple HTTP parameters. An attacker could exploit this vulnerability by persuading a user to access a malicious link. A successful exploit could allow the attacker to conduct a reflected XSS attack through an affected device.

Published: 2026-03-04

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw arises from inadequate validation of HTTP parameters within the SAML 2.0 SSO functionality of Cisco Secure Firewall Adaptive Security Appliance and Threat Defense software. An attacker can craft a malicious URL that reflects unsanitized user input back to the victim’s browser, enabling a reflected cross‑site scripting attack. This could compromise confidential data stored or displayed in the browser context and potentially lead to unauthorized actions performed on behalf of the user.

Affected Systems

Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software are affected. The vulnerability applies to all versions that include the unpatched SAML component, as no specific version string is provided.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate impact, while the EPSS score of less than 1% suggests a low probability of exploitation in the current environment. The vulnerability is not listed in the KEV catalog, but it can be exploited remotely by an unauthenticated attacker who convinces a user to click a crafted link. Successful exploitation would allow the attacker to inject and execute arbitrary scripts in the victim’s browser session, potentially exfiltrating sensitive data or POSTing malicious requests from the user’s authenticated session.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Secure Firewall Adaptive Security Appliance (ASA) Software

unknown

Version	Status	Constraints
`9.16.1`	affected	—
`9.16.1.28`	affected	—
`9.16.2`	affected	—
`9.16.2.3`	affected	—
`9.16.2.7`	affected	—
`9.17.1`	affected	—
`9.16.2.11`	affected	—
`9.16.2.13`	affected	—
`9.16.2.14`	affected	—
`9.17.1.7`	affected	—
`9.17.1.9`	affected	—
`9.17.1.10`	affected	—
`9.17.1.11`	affected	—
`9.17.1.13`	affected	—
`9.17.1.15`	affected	—
`9.17.1.20`	affected	—
`9.17.1.30`	affected	—
`9.17.1.33`	affected	—
`9.17.1.39`	affected	—
`9.17.1.45`	affected	—
`9.17.1.46`	affected	—
`9.23.1.13`	affected	—
`9.20.4.7`	affected	—
`9.22.2.13`	affected	—
`9.18.4.66`	affected	—
`9.20.4.10`	affected	—
`9.23.1.19`	affected	—
`9.18.4.67`	affected	—

Cisco

Cisco Secure Firewall Threat Defense (FTD) Software

unknown

Version	Status	Constraints
`7.0.0`	affected	—
`7.0.0.1`	affected	—
`7.0.1`	affected	—
`7.1.0`	affected	—
`7.0.1.1`	affected	—
`7.1.0.1`	affected	—
`7.1.0.2`	affected	—
`7.1.0.3`	affected	—

Configuration 1 [-]

OR	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::

Configuration 2 [-]

OR	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::

No data.

Vendor Product Confidence Versions

Cisco

Adaptive Security Appliance Software

100%

Version	Status	Scheme	Platform
`9.16.1`	affected	semver	—
`9.16.1.28`	affected	generic	—
`9.16.2`	affected	semver	—
`9.16.2.3`	affected	generic	—
`9.16.2.7`	affected	generic	—
`9.17.1`	affected	semver	—
`9.16.2.11`	affected	generic	—
`9.16.2.13`	affected	generic	—
`9.16.2.14`	affected	generic	—
`9.17.1.7`	affected	generic	—
`9.17.1.9`	affected	generic	—
`9.17.1.10`	affected	generic	—
`9.17.1.11`	affected	generic	—
`9.17.1.13`	affected	generic	—
`9.17.1.15`	affected	generic	—
`9.17.1.20`	affected	generic	—
`9.17.1.30`	affected	generic	—
`9.17.1.33`	affected	generic	—
`9.17.1.39`	affected	generic	—
`9.17.1.45`	affected	generic	—
`9.17.1.46`	affected	generic	—
`9.23.1.13`	affected	generic	—
`9.20.4.7`	affected	generic	—
`9.22.2.13`	affected	generic	—
`9.18.4.66`	affected	generic	—
`9.20.4.10`	affected	generic	—
`9.23.1.19`	affected	generic	—
`9.18.4.67`	affected	generic	—

Cisco

Secure Firewall Threat Defense

100%

Version	Status	Scheme	Platform
`7.0.0`	affected	semver	—
`7.0.0.1`	affected	generic	—
`7.0.1`	affected	semver	—
`7.1.0`	affected	semver	—
`7.0.1.1`	affected	generic	—
`7.1.0.1`	affected	generic	—
`7.1.0.2`	affected	generic	—
`7.1.0.3`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Cisco firmware patch that sanitizes SAML HTTP parameters.
Temporarily disable the SAML SSO feature or restrict it to trusted networks until patches are applied.
Perform a comprehensive scan for injected scripts in the current configuration and monitor logs for anomalous SAML requests.

Generated by OpenCVE AI on April 16, 2026 at 13:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-saml-LktTrwZP

History

Thu, 16 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco firepower Threat Defense Software
CPEs		cpe:2.3:a:cisco:firepower_threat_defense_software:::::::: cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
Vendors & Products		Cisco firepower Threat Defense Software

Thu, 05 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco adaptive Security Appliance Software Cisco secure Firewall Threat Defense
Vendors & Products		Cisco Cisco adaptive Security Appliance Software Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the SAML feature and access sensitive, browser-based information. This vulnerability is due to insufficient input validation of multiple HTTP parameters. An attacker could exploit this vulnerability by persuading a user to access a malicious link. A successful exploit could allow the attacker to conduct a reflected XSS attack through an affected device.
Title		Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SAML Reflected Cross-Site Scripting Vulnerability
Weaknesses		CWE-79
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-saml-LktTrwZP
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Cisco Adaptive Security Appliance Software Firepower Threat Defense Software Secure Firewall Threat Defense

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-03-04T17:52:05.344Z

Updated: 2026-03-04T18:09:27.083Z

Reserved: 2025-10-08T11:59:15.370Z

Link: CVE-2026-20102

Vulnrichment

Updated: 2026-03-04T18:09:21.938Z

NVD

Status : Analyzed

Published: 2026-03-04T18:16:25.620

Modified: 2026-04-16T20:28:09.097

Link: CVE-2026-20102

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object