CVE-2025-20331
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-08-06
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | identity_services_engine | 3.2 |
| cisco | identity_services_engine | 3.3 |
| cisco | ise_pic | * |
| cisco | identity_services_engine | 3.4 |
| cisco | identity_services_engine | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the web-based management interface of Cisco ISE and Cisco ISE-PIC. It occurs because the interface does not properly validate user-supplied input, allowing an authenticated remote attacker with at least low-privileged access to inject malicious script code into the interface. When other users access the affected pages, the malicious code can execute in their browsers, potentially exposing sensitive information or allowing unauthorized actions.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary script code within the context of the affected web interface. This could lead to unauthorized access to sensitive browser-based information, session hijacking, or other malicious actions performed on behalf of the victim user. The attacker needs at least low-privileged authenticated access to the device to exploit this vulnerability.