CVE-2025-20240
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-09-26
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-692 | The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) flaw in the web UI of Cisco IOS XE Software. It occurs because the software does not properly sanitize user-supplied input. An attacker can exploit this by tricking a user into clicking a malicious link, which then allows the attacker to execute a reflected XSS attack and potentially steal the user's cookies from the affected device.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute a reflected XSS attack on the device's web UI, potentially stealing user cookies. This could lead to unauthorized access to user sessions or sensitive information, compromising the security of the affected device and its users.