CVE-2025-20305

CWE-1220 CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

4.9MEDIUM

EPSS

0.0%

top 89.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Identity Services Engine Cisco Cisco Identity Services Engine Software

Timeline

PublishedNov 5

Description

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability exists because certain files lack proper data protection mechanisms. An attacker with read-only Administrator privileges could exploit this vulnerability by performing actions where the results should only be viewable to a high-privileged user. A successful exploit could allow the attacker to view passwords th…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDcisco/identity_services_engine3.1.0+3

▶CVEListV5cisco/cisco_identity_services_engine_software29 versions+28

🔴Vulnerability Details

GHSA

GHSA-g7hc-wvj4-v52x: A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from↗2025-11-05

▶

CVEList

CVE-2025-20305: A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from↗2025-11-05

▶

📋Vendor Advisories

Cisco

Cisco Identity Services Engine Reflected Cross-Site Scripting and Information Disclosure Vulnerabilities↗2025-11-05

▶