CVE-2025-20240 β€” Incomplete Denylist to Cross-Site Scripting in Cisco IOS XE Software

CWE-692 β€” Incomplete Denylist to Cross-Site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 89.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE Software
Timeline
PublishedSep 24

Description

A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute a reflected XSS attack and steal user cookies from the affected device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

β–ΆCVEListV5cisco/cisco_ios_xe_software216 versions+215

πŸ”΄Vulnerability Details

2
CVEList
CVE-2025-20240: A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cros↗2025-09-24
β–Ά
GHSA
GHSA-7423-xf8w-j7hg: A vulnerability in the web UI of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting att↗2025-09-24
β–Ά

πŸ“‹Vendor Advisories

1
Cisco
Cisco IOS XE Software Web Authentication Reflected Cross-Site Scripting Vulnerability↗2025-09-24
β–Ά
CVE-2025-20240 β€” Cisco IOS XE Software vulnerability | cvebase