CVE-2025-20180
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.
This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Operator.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Cisco | Cisco Secure Email | 14.0.0-698 | affected |
| Cisco | Cisco Secure Email | 13.5.1-277 | affected |
| Cisco | Cisco Secure Email | 13.0.0-392 | affected |
| Cisco | Cisco Secure Email | 14.2.0-620 | affected |
| Cisco | Cisco Secure Email | 13.0.5-007 | affected |
| Cisco | Cisco Secure Email | 13.5.4-038 | affected |
| Cisco | Cisco Secure Email | 14.2.1-020 | affected |
| Cisco | Cisco Secure Email | 14.3.0-032 | affected |
| Cisco | Cisco Secure Email | 15.0.0-104 | affected |
| Cisco | Cisco Secure Email | 15.0.1-030 | affected |
| Cisco | Cisco Secure Email | 15.5.0-048 | affected |
| Cisco | Cisco Secure Email | 15.5.1-055 | affected |
| Cisco | Cisco Secure Email | 15.5.2-018 | affected |
| Cisco | Cisco Secure Email | 16.0.0-050 | affected |
| Cisco | Cisco Secure Email | 15.0.3-002 | affected |
| Cisco | Cisco Secure Email | 16.0.0-054 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.6.2-023 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.6.2-078 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.0.0-249 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.0.0-277 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.8.1-052 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.8.1-068 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.8.1-074 | affected |
| Cisco | Cisco Secure Email and Web Manager | 14.0.0-404 | affected |
| Cisco | Cisco Secure Email and Web Manager | 12.8.1-002 | affected |
| Cisco | Cisco Secure Email and Web Manager | 14.1.0-227 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.6.1-201 | affected |
| Cisco | Cisco Secure Email and Web Manager | 14.2.0-203 | affected |
| Cisco | Cisco Secure Email and Web Manager | 14.2.0-212 | affected |
| Cisco | Cisco Secure Email and Web Manager | 12.8.1-021 | affected |
| Cisco | Cisco Secure Email and Web Manager | 13.8.1-108 | affected |
| Cisco | Cisco Secure Email and Web Manager | 14.2.0-224 | affected |
| Cisco | Cisco Secure Email and Web Manager | 14.3.0-120 | affected |
| Cisco | Cisco Secure Email and Web Manager | 15.0.0-334 | affected |
| Cisco | Cisco Secure Email and Web Manager | 15.5.1-024 | affected |
| Cisco | Cisco Secure Email and Web Manager | 15.5.1-029 | affected |
| Cisco | Cisco Secure Email and Web Manager | 15.5.2-005 | affected |
| Cisco | Cisco Secure Email and Web Manager | 16.0.0-195 | affected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.