Cisco Systems, Inc. Information for VU#261869

Clientless SSL VPN products break web browser domain-based security models



Vendor Statement

The limitations described in VU#261869 affect all vendors offering a truly Clientless SSL VPN solution, including Cisco. Cisco has published a Security Activity Bulletin that provides additional information at the following link:

This bulletin includes links to documentation that guide customers on how to properly configure Clientless SSL VPN deployments for the purpose of accessing trusted resources to avoid getting in to a situation which may cause concern.

Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution that can also be used with Clientless connections to protect against these security risks. Additionally, customers can use the Cisco AnyConnect client. Cisco Anyconnect provides remote end users with support of applications and functions unavailable to a clientless, browser-based SSL VPN connection.  Information about CSD and AnyConnect can be found at:

Vendor Information

Cisco has published information about this issue at:

Vendor References


There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.