CVE-2025-20179
Vulnerability from cvelistv5
Published
2025-02-05 16:14
Modified
2025-02-05 17:21
Severity ?
EPSS score ?
Summary
A vulnerability in the web-based management interface of Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Note: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco TelePresence Video Communication Server (VCS) Expressway |
Version: X8.11.2 Version: X8.6 Version: X8.11.3 Version: X8.2.2 Version: X8.8.3 Version: X8.11.0 Version: X12.5.2 Version: X8.1.1 Version: X8.9 Version: X12.5.1 Version: X12.5.6 Version: X8.7.3 Version: X12.6.0 Version: X8.11.1 Version: X8.5 Version: X8.9.1 Version: X8.10.2 Version: X8.8.2 Version: X8.5.3 Version: X8.1 Version: X8.9.2 Version: X8.11.4 Version: X12.5.4 Version: X8.8.1 Version: X8.2.1 Version: X8.5.1 Version: X8.6.1 Version: X8.1.2 Version: X8.8 Version: X8.10.0 Version: X12.5.3 Version: X8.10.1 Version: X12.5.7 Version: X8.10.3 Version: X8.7.1 Version: X8.2 Version: X12.5.8 Version: X8.7 Version: X8.5.2 Version: X12.5.9 Version: X12.5.0 Version: X8.10.4 Version: X8.7.2 Version: X12.5.5 Version: X12.6.1 Version: X12.6.2 Version: X12.6.3 Version: X12.6.4 Version: X12.7.0 Version: X12.7.1 Version: X14.0.0 Version: X14.0.1 Version: X14.0.2 Version: X14.0.3 Version: X14.0.4 Version: X14.0.5 Version: X14.0.6 Version: X14.0.7 Version: X14.0.8 Version: X14.2.0 Version: X14.0.9 Version: X14.2.1 Version: X14.2.2 Version: X14.0.11 Version: X14.2.5 Version: X14.0.10 Version: X14.2.6 Version: X14.2.7 Version: X14.3.0 Version: X14.3.1 Version: X14.3.2 Version: X14.3.3 Version: X15.0.0 Version: X14.3.4 Version: X14.3.5 Version: X15.0.1 Version: X15.0.2 Version: X15.0.3 Version: X14.3.6 Version: X15.2.0 Version: X15.2.1 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-20179", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-05T17:20:57.716321Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-05T17:21:13.663Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unknown", product: "Cisco TelePresence Video Communication Server (VCS) Expressway", vendor: "Cisco", versions: [ { status: "affected", version: "X8.11.2", }, { status: "affected", version: "X8.6", }, { status: "affected", version: "X8.11.3", }, { status: "affected", version: "X8.2.2", }, { status: "affected", version: "X8.8.3", }, { status: "affected", version: "X8.11.0", }, { status: "affected", version: "X12.5.2", }, { status: "affected", version: "X8.1.1", }, { status: "affected", version: "X8.9", }, { status: "affected", version: "X12.5.1", }, { status: "affected", version: "X12.5.6", }, { status: "affected", version: "X8.7.3", }, { status: "affected", version: "X12.6.0", }, { status: "affected", version: "X8.11.1", }, { status: "affected", version: "X8.5", }, { status: "affected", version: "X8.9.1", }, { status: "affected", version: "X8.10.2", }, { status: "affected", version: "X8.8.2", }, { status: "affected", version: "X8.5.3", }, { status: "affected", version: "X8.1", }, { status: "affected", version: "X8.9.2", }, { status: "affected", version: "X8.11.4", }, { status: "affected", version: "X12.5.4", }, { status: "affected", version: "X8.8.1", }, { status: "affected", version: "X8.2.1", }, { status: "affected", version: "X8.5.1", }, { status: "affected", version: "X8.6.1", }, { status: "affected", version: "X8.1.2", }, { status: "affected", version: "X8.8", }, { status: "affected", version: "X8.10.0", }, { status: "affected", version: "X12.5.3", }, { status: "affected", version: "X8.10.1", }, { status: "affected", version: "X12.5.7", }, { status: "affected", version: "X8.10.3", }, { status: "affected", version: "X8.7.1", }, { status: "affected", version: "X8.2", }, { status: "affected", version: "X12.5.8", }, { status: "affected", version: "X8.7", }, { status: "affected", version: "X8.5.2", }, { status: "affected", version: "X12.5.9", }, { status: "affected", version: "X12.5.0", }, { status: "affected", version: "X8.10.4", }, { status: "affected", version: "X8.7.2", }, { status: "affected", version: "X12.5.5", }, { status: "affected", version: "X12.6.1", }, { status: "affected", version: "X12.6.2", }, { status: "affected", version: "X12.6.3", }, { status: "affected", version: "X12.6.4", }, { status: "affected", version: "X12.7.0", }, { status: "affected", version: "X12.7.1", }, { status: "affected", version: "X14.0.0", }, { status: "affected", version: "X14.0.1", }, { status: "affected", version: "X14.0.2", }, { status: "affected", version: "X14.0.3", }, { status: "affected", version: "X14.0.4", }, { status: "affected", version: "X14.0.5", }, { status: "affected", version: "X14.0.6", }, { status: "affected", version: "X14.0.7", }, { status: "affected", version: "X14.0.8", }, { status: "affected", version: "X14.2.0", }, { status: "affected", version: "X14.0.9", }, { status: "affected", version: "X14.2.1", }, { status: "affected", version: "X14.2.2", }, { status: "affected", version: "X14.0.11", }, { status: "affected", version: "X14.2.5", }, { status: "affected", version: "X14.0.10", }, { status: "affected", version: "X14.2.6", }, { status: "affected", version: "X14.2.7", }, { status: "affected", version: "X14.3.0", }, { status: "affected", version: "X14.3.1", }, { status: "affected", version: "X14.3.2", }, { status: "affected", version: "X14.3.3", }, { status: "affected", version: "X15.0.0", }, { status: "affected", version: "X14.3.4", }, { status: "affected", version: "X14.3.5", }, { status: "affected", version: "X15.0.1", }, { status: "affected", version: "X15.0.2", }, { status: "affected", version: "X15.0.3", }, { status: "affected", version: "X14.3.6", }, { status: "affected", version: "X15.2.0", }, { status: "affected", version: "X15.2.1", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability in the web-based management interface of Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.\r\n\r\nThis vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.\r\nNote: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.", }, ], exploits: [ { lang: "en", value: "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "cvssV3_1", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "cwe", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-05T16:14:03.704Z", orgId: "d1c1063e-7a18-46af-9102-31f8928bc633", shortName: "cisco", }, references: [ { name: "cisco-sa-expressway-xss-uexUZrEW", url: "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-xss-uexUZrEW", }, ], source: { advisory: "cisco-sa-expressway-xss-uexUZrEW", defects: [ "CSCwn01191", ], discovery: "EXTERNAL", }, title: "Cisco Expressway Series Cross-Site Scripting Vulnerability", }, }, cveMetadata: { assignerOrgId: "d1c1063e-7a18-46af-9102-31f8928bc633", assignerShortName: "cisco", cveId: "CVE-2025-20179", datePublished: "2025-02-05T16:14:03.704Z", dateReserved: "2024-10-10T19:15:13.225Z", dateUpdated: "2025-02-05T17:21:13.663Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2025-20179\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2025-02-05T17:15:25.210\",\"lastModified\":\"2025-02-05T17:15:25.210\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the web-based management interface of Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.\\r\\n\\r\\nThis vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.\\r\\nNote: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-xss-uexUZrEW\",\"source\":\"psirt@cisco.com\"}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-20179\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-05T17:20:57.716321Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-05T17:21:08.612Z\"}}], \"cna\": {\"title\": \"Cisco Expressway Series Cross-Site Scripting Vulnerability\", \"source\": {\"defects\": [\"CSCwn01191\"], \"advisory\": \"cisco-sa-expressway-xss-uexUZrEW\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"cvssV3_1\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco TelePresence Video Communication Server (VCS) Expressway\", \"versions\": [{\"status\": \"affected\", \"version\": \"X8.11.2\"}, {\"status\": \"affected\", \"version\": \"X8.6\"}, {\"status\": \"affected\", \"version\": \"X8.11.3\"}, {\"status\": \"affected\", \"version\": \"X8.2.2\"}, {\"status\": \"affected\", \"version\": \"X8.8.3\"}, {\"status\": \"affected\", \"version\": \"X8.11.0\"}, {\"status\": \"affected\", \"version\": \"X12.5.2\"}, {\"status\": \"affected\", \"version\": \"X8.1.1\"}, {\"status\": \"affected\", \"version\": \"X8.9\"}, {\"status\": \"affected\", \"version\": \"X12.5.1\"}, {\"status\": \"affected\", \"version\": \"X12.5.6\"}, {\"status\": \"affected\", \"version\": \"X8.7.3\"}, {\"status\": \"affected\", \"version\": \"X12.6.0\"}, {\"status\": \"affected\", \"version\": \"X8.11.1\"}, {\"status\": \"affected\", \"version\": \"X8.5\"}, {\"status\": \"affected\", \"version\": \"X8.9.1\"}, {\"status\": \"affected\", \"version\": \"X8.10.2\"}, {\"status\": \"affected\", \"version\": \"X8.8.2\"}, {\"status\": \"affected\", \"version\": \"X8.5.3\"}, {\"status\": \"affected\", \"version\": \"X8.1\"}, {\"status\": \"affected\", \"version\": \"X8.9.2\"}, {\"status\": \"affected\", \"version\": \"X8.11.4\"}, {\"status\": \"affected\", \"version\": \"X12.5.4\"}, {\"status\": \"affected\", \"version\": \"X8.8.1\"}, {\"status\": \"affected\", \"version\": \"X8.2.1\"}, {\"status\": \"affected\", \"version\": \"X8.5.1\"}, {\"status\": \"affected\", \"version\": \"X8.6.1\"}, {\"status\": \"affected\", \"version\": \"X8.1.2\"}, {\"status\": \"affected\", \"version\": \"X8.8\"}, {\"status\": \"affected\", \"version\": \"X8.10.0\"}, {\"status\": \"affected\", \"version\": \"X12.5.3\"}, {\"status\": \"affected\", \"version\": \"X8.10.1\"}, {\"status\": \"affected\", \"version\": \"X12.5.7\"}, {\"status\": \"affected\", \"version\": \"X8.10.3\"}, {\"status\": \"affected\", \"version\": \"X8.7.1\"}, {\"status\": \"affected\", \"version\": \"X8.2\"}, {\"status\": \"affected\", \"version\": \"X12.5.8\"}, {\"status\": \"affected\", \"version\": \"X8.7\"}, {\"status\": \"affected\", \"version\": \"X8.5.2\"}, {\"status\": \"affected\", \"version\": \"X12.5.9\"}, {\"status\": \"affected\", \"version\": \"X12.5.0\"}, {\"status\": \"affected\", \"version\": \"X8.10.4\"}, {\"status\": \"affected\", \"version\": \"X8.7.2\"}, {\"status\": \"affected\", \"version\": \"X12.5.5\"}, {\"status\": \"affected\", \"version\": \"X12.6.1\"}, {\"status\": \"affected\", \"version\": \"X12.6.2\"}, {\"status\": \"affected\", \"version\": \"X12.6.3\"}, {\"status\": \"affected\", \"version\": \"X12.6.4\"}, {\"status\": \"affected\", \"version\": \"X12.7.0\"}, {\"status\": \"affected\", \"version\": \"X12.7.1\"}, {\"status\": \"affected\", \"version\": \"X14.0.0\"}, {\"status\": \"affected\", \"version\": \"X14.0.1\"}, {\"status\": \"affected\", \"version\": \"X14.0.2\"}, {\"status\": \"affected\", \"version\": \"X14.0.3\"}, {\"status\": \"affected\", \"version\": \"X14.0.4\"}, {\"status\": \"affected\", \"version\": \"X14.0.5\"}, {\"status\": \"affected\", \"version\": \"X14.0.6\"}, {\"status\": \"affected\", \"version\": \"X14.0.7\"}, {\"status\": \"affected\", \"version\": \"X14.0.8\"}, {\"status\": \"affected\", \"version\": \"X14.2.0\"}, {\"status\": \"affected\", \"version\": \"X14.0.9\"}, {\"status\": \"affected\", \"version\": \"X14.2.1\"}, {\"status\": \"affected\", \"version\": \"X14.2.2\"}, {\"status\": \"affected\", \"version\": \"X14.0.11\"}, {\"status\": \"affected\", \"version\": \"X14.2.5\"}, {\"status\": \"affected\", \"version\": \"X14.0.10\"}, {\"status\": \"affected\", \"version\": \"X14.2.6\"}, {\"status\": \"affected\", \"version\": \"X14.2.7\"}, {\"status\": \"affected\", \"version\": \"X14.3.0\"}, {\"status\": \"affected\", \"version\": \"X14.3.1\"}, {\"status\": \"affected\", \"version\": \"X14.3.2\"}, {\"status\": \"affected\", \"version\": \"X14.3.3\"}, {\"status\": \"affected\", \"version\": \"X15.0.0\"}, {\"status\": \"affected\", \"version\": \"X14.3.4\"}, {\"status\": \"affected\", \"version\": \"X14.3.5\"}, {\"status\": \"affected\", \"version\": \"X15.0.1\"}, {\"status\": \"affected\", \"version\": \"X15.0.2\"}, {\"status\": \"affected\", \"version\": \"X15.0.3\"}, {\"status\": \"affected\", \"version\": \"X14.3.6\"}, {\"status\": \"affected\", \"version\": \"X15.2.0\"}, {\"status\": \"affected\", \"version\": \"X15.2.1\"}], \"defaultStatus\": \"unknown\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\"}], \"references\": [{\"url\": \"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-xss-uexUZrEW\", \"name\": \"cisco-sa-expressway-xss-uexUZrEW\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the web-based management interface of Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.\\r\\n\\r\\nThis vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.\\r\\nNote: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"cwe\", \"cweId\": \"CWE-79\", \"description\": \"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2025-02-05T16:14:03.704Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2025-20179\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-05T17:21:13.663Z\", \"dateReserved\": \"2024-10-10T19:15:13.225Z\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2025-02-05T16:14:03.704Z\", \"assignerShortName\": \"cisco\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.