CVE-2009-2631
Stonesoft StoneGate, Cisco ASA, SonicWALL, SafeNet SecureWire, Juniper Networks, Nortel CallPilot, Citrix Access Gateway Vulnerability: Cross-Site Scripting
Description
Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design
INFO
Published Date :
Dec. 4, 2009, 11:30 a.m.
Last Modified :
June 16, 2025, 9:15 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
6.4
Exploitability Score :
8.6
Affected Products
The following products are affected by CVE-2009-2631
vulnerability.
Even if cvefeed.io
is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2009-2631
.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2009-2631
vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2009-2631
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Jun. 16, 2025
Action Type Old Value New Value Changed Description Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design. Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design Added CWE CWE-284 Added Reference https://security.paloaltonetworks.com/PAN-SA-2025-0005 Added Reference https://www.kb.cert.org/vuls/id/261869 Removed Reference http://kb.juniper.net/KB15799 Removed Reference http://seclists.org/fulldisclosure/2006/Jun/238 Removed Reference http://seclists.org/fulldisclosure/2006/Jun/269 Removed Reference http://seclists.org/fulldisclosure/2006/Jun/270 Removed Reference http://secunia.com/advisories/37696 Removed Reference http://secunia.com/advisories/37786 Removed Reference http://secunia.com/advisories/37788 Removed Reference http://secunia.com/advisories/37789 Removed Reference http://securitytracker.com/id?1023255 Removed Reference http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=984744 Removed Reference http://www.kb.cert.org/vuls/id/261869 Removed Reference http://www.securityfocus.com/archive/1/508164/100/0/threaded Removed Reference http://www.securityfocus.com/bid/37152 Removed Reference http://www.sonicwall.com/us/2123_14882.html Removed Reference http://www.sonicwall.com/us/2123_14883.html Removed Reference http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html Removed Reference http://www.vupen.com/english/advisories/2009/3567 Removed Reference http://www.vupen.com/english/advisories/2009/3568 Removed Reference http://www.vupen.com/english/advisories/2009/3569 Removed Reference http://www.vupen.com/english/advisories/2009/3570 Removed Reference http://www.vupen.com/english/advisories/2009/3571 Removed Reference http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/50/025367-01.pdf Removed Reference https://exchange.xforce.ibmcloud.com/vulnerabilities/54523 Removed Reference Type http://secunia.com/advisories/37696 Types: Vendor Advisory Removed Reference Type http://secunia.com/advisories/37786 Types: Vendor Advisory Removed Reference Type http://secunia.com/advisories/37788 Types: Vendor Advisory Removed Reference Type http://secunia.com/advisories/37789 Types: Vendor Advisory Removed Reference Type http://www.kb.cert.org/vuls/id/261869 Types: US Government Resource Removed Reference Type http://www.sonicwall.com/us/2123_14882.html Types: Vendor Advisory Removed Reference Type http://www.sonicwall.com/us/2123_14883.html Types: Vendor Advisory Removed Reference Type http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html Types: Vendor Advisory Removed Reference Type http://www.vupen.com/english/advisories/2009/3567 Types: Vendor Advisory Removed Reference Type http://www.vupen.com/english/advisories/2009/3568 Types: Vendor Advisory Removed Reference Type http://www.vupen.com/english/advisories/2009/3569 Types: Vendor Advisory Removed Reference Type http://www.vupen.com/english/advisories/2009/3570 Types: Vendor Advisory Removed Reference Type http://www.vupen.com/english/advisories/2009/3571 Types: Vendor Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference http://kb.juniper.net/KB15799 Added Reference http://seclists.org/fulldisclosure/2006/Jun/238 Added Reference http://seclists.org/fulldisclosure/2006/Jun/269 Added Reference http://seclists.org/fulldisclosure/2006/Jun/270 Added Reference http://secunia.com/advisories/37696 Added Reference http://secunia.com/advisories/37786 Added Reference http://secunia.com/advisories/37788 Added Reference http://secunia.com/advisories/37789 Added Reference http://securitytracker.com/id?1023255 Added Reference http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=984744 Added Reference http://www.kb.cert.org/vuls/id/261869 Added Reference http://www.securityfocus.com/archive/1/508164/100/0/threaded Added Reference http://www.securityfocus.com/bid/37152 Added Reference http://www.sonicwall.com/us/2123_14882.html Added Reference http://www.sonicwall.com/us/2123_14883.html Added Reference http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html Added Reference http://www.vupen.com/english/advisories/2009/3567 Added Reference http://www.vupen.com/english/advisories/2009/3568 Added Reference http://www.vupen.com/english/advisories/2009/3569 Added Reference http://www.vupen.com/english/advisories/2009/3570 Added Reference http://www.vupen.com/english/advisories/2009/3571 Added Reference http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/50/025367-01.pdf Added Reference https://exchange.xforce.ibmcloud.com/vulnerabilities/54523 -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Oct. 10, 2018
Action Type Old Value New Value Removed Reference http://www.securityfocus.com/archive/1/archive/1/508164/100/0/threaded [No Types Assigned] Added Reference http://www.securityfocus.com/archive/1/508164/100/0/threaded [No Types Assigned] -
CVE Modified by [email protected]
Aug. 17, 2017
Action Type Old Value New Value Removed Reference http://xforce.iss.net/xforce/xfdb/54523 [No Types Assigned] Added Reference https://exchange.xforce.ibmcloud.com/vulnerabilities/54523 [No Types Assigned] -
Initial Analysis by [email protected]
Dec. 04, 2009
Action Type Old Value New Value
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2009-2631
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2009-2631
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
0.84 }} -0.13%
score
0.73717
percentile