How severe is CVE-2024-20355?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5 out of 10.

What type of vulnerability is CVE-2024-20355?

This is classified as CWE-862, which is a common weakness in software security.

CVE-2024-20355

MEDIUM Year: 2024

CVSS v3 Score

5.0

Medium

Weakness Type

CWE-862

View all →

Vulnerability Description

A vulnerability in the implementation of SAML 2.0 single sign-on (SSO) for remote access VPN services in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to successfully establish a VPN session on an affected device. This vulnerability is due to improper separation of authorization domains when using SAML authentication. An attacker could exploit this vulnerability by using valid credentials to successfully authenticate using their designated connection profile (tunnel group), intercepting the SAML SSO token that is sent back from the Cisco ASA device, and then submitting the same SAML SSO token to a different tunnel group for authentication. A successful exploit could allow the attacker to establish a remote access VPN session using a connection profile that they are not authorized to use and connect to secured networks behind the affected device that they are not authorized to access. For successful exploitation, the attacker must have valid remote access VPN user credentials.

CVE-2022-20394

MEDIUM

CVSS:5.0(Medium)

In getInputMethodWindowVisibleHeight of InputMethodManagerService.java, there is a possible way to determine when another app is showing an IME due to a missing permission check. This could lead to lo...

CWE-8622022

CVE-2024-0447

MEDIUM

CVSS:5.0(Medium)

The ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the artibot_update function in all version...

CWE-8622024

CVE-2024-0451

MEDIUM

CVSS:5.0(Medium)

The AI ChatBot plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the openai_file_list_callback function in all versions up to, and including, 5.3.4...

CWE-8622024

CVE-2024-42934

MEDIUM

CVSS:5.0(Medium)

OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or cod...

CWE-8622024

CVE-2024-43090

MEDIUM

CVSS:5.0(Medium)

In multiple locations, there is a possible cross-user image read due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interact...

CWE-8622024

CVE-2025-24021

MEDIUM

CVSS:5.0(Medium)

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Ve...

CWE-8622025

CVE-2024-20355

Vulnerability Description

Related Vulnerabilities

CVE-2022-20394

CVE-2024-0447

CVE-2024-0451

CVE-2024-42934

CVE-2024-43090

CVE-2025-24021