CVE-2025-20289

CWE-79 — Cross-site Scripting (XSS)CWE-12204 documents4 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 84.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Cisco Cisco Identity Services Engine Software

Timeline

PublishedNov 5

Description

Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶NVDcisco/identity_services_engine3.1.0+3

▶CVEListV5cisco/cisco_identity_services_engine_software30 versions+29

🔴Vulnerability Details

GHSA

GHSA-97fq-qprm-p8vj: Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct↗2025-11-05

▶

CVEList

CVE-2025-20289: Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct↗2025-11-05

▶

📋Vendor Advisories

Cisco

Cisco Identity Services Engine Reflected Cross-Site Scripting and Information Disclosure Vulnerabilities↗2025-11-05

▶