CVE-2025-20180
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
05/02/2025
Last modified:
15/08/2025
Description
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.<br />
<br />
This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Operator.
Impact
Base Score 3.x
4.80
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:cisco:asyncos:12.8.1-002:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:12.8.1-021:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.0.0-249:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.0.0-277:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.6.1-201:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.6.2-023:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.6.2-078:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.8.1-052:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.8.1-068:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.8.1-074:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:13.8.1-108:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:14.0.0-404:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:14.1.0-227:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:14.2.0-203:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:asyncos:14.2.0-212:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page