← Back

CVE-2025-20180

nvd nist
Published: Feb 5, 2025Modified: Aug 15, 2025

JSON object

Loading...
4.8
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Exploitability: 1.7 / Impact: 2.7
Source: psirt@cisco.com (Secondary)

Description

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Operator.

Affected (38)

Products: Cisco: Asyncos
Cisco
1 product
Asyncos
Configuration A
22 vulnerable · 14 platform
Vulnerable SoftwareAffected Versions
Cisco
Asyncos
Version 12.8.1-002
Asyncos
Version 12.8.1-021
Asyncos
Version 13.0.0-249
Asyncos
Version 13.0.0-277
Asyncos
Version 13.6.1-201
Asyncos
Version 13.6.2-023
Asyncos
Version 13.6.2-078
Asyncos
Version 13.8.1-052
Asyncos
Version 13.8.1-068
Asyncos
Version 13.8.1-074
Asyncos
Version 13.8.1-108
Asyncos
Version 14.0.0-404
Asyncos
Version 14.1.0-227
Asyncos
Version 14.2.0-203
Asyncos
Version 14.2.0-212
Asyncos
Version 14.2.0-224
Asyncos
Version 14.3.0-120
Asyncos
Version 15.0.0-334
Asyncos
Version 15.5.1-024
Asyncos
Version 15.5.1-029
Asyncos
Version 15.5.2-005
Asyncos
Version 16.0.0-195
Running on/withPlatform Versions
Cisco
Secure Email And Web Manager M170
All versions
Cisco
Secure Email And Web Manager M190
All versions
Cisco
Secure Email And Web Manager M195
All versions
Cisco
Secure Email And Web Manager M380
All versions
Cisco
Secure Email And Web Manager M390
All versions
Cisco
Secure Email And Web Manager M390x
All versions
Cisco
Secure Email And Web Manager M395
All versions
Cisco
Secure Email And Web Manager M680
All versions
Cisco
Secure Email And Web Manager M690
All versions
Cisco
Secure Email And Web Manager M690x
All versions
Cisco
Secure Email And Web Manager M695
All versions
Cisco
Secure Email And Web Manager Virtual Appliance M100v
All versions
Cisco
Secure Email And Web Manager Virtual Appliance M300v
All versions
Cisco
Secure Email And Web Manager Virtual Appliance M600v
All versions
Configuration B
16 vulnerable · 6 platform
Vulnerable SoftwareAffected Versions
Cisco
Asyncos
Version 13.0.0-392
Asyncos
Version 13.0.5-007
Asyncos
Version 13.5.1-277
Asyncos
Version 13.5.4-038
Asyncos
Version 14.0.0-698
Asyncos
Version 14.2.0-620
Asyncos
Version 14.2.1-020
Asyncos
Version 14.3.0-032
Asyncos
Version 15.0.0-104
Asyncos
Version 15.0.1-030
Asyncos
Version 15.0.3-002
Asyncos
Version 15.5.0-048
Asyncos
Version 15.5.1-055
Asyncos
Version 15.5.2-018
Asyncos
Version 16.0.0-050
Asyncos
Version 16.0.0-054
Running on/withPlatform Versions
Cisco
Secure Email Gateway C195
All versions
Cisco
Secure Email Gateway C395
All versions
Cisco
Secure Email Gateway C695
All versions
Cisco
Secure Email Gateway Virtual Appliance C100v
All versions
Cisco
Secure Email Gateway Virtual Appliance C300v
All versions
Cisco
Secure Email Gateway Virtual Appliance C600v
All versions

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

Source: psirt@cisco.com
Vendor Advisory

Timeline

No history available yet.