CVE-2025-20279

Published: Jun 4, 2025Modified: Jul 22, 2025

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: psirt@cisco.com (Secondary)

Description

A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to conduct a stored XSS attack on an affected system. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper sanitization of user input to the web-based management interface. An attacker could exploit this vulnerability by submitting a malicious script through the interface. A successful exploit could allow the attacker to conduct a stored XSS attack on the affected system.

Affected (60)

Products: Cisco: Unified Contact Center Express

Cisco

1 product

Unified Contact Center Express

Configuration A

60 vulnerable

Vulnerable Software	Affected Versions
Cisco Unified Contact Center Express	Version 10.0(1)su1
Cisco Unified Contact Center Express	Version 10.0(1)su1es04
Cisco Unified Contact Center Express	Version 10.5(1)
Cisco Unified Contact Center Express	Version 10.5(1)su1
Cisco Unified Contact Center Express	Version 10.5(1)su1es10
Cisco Unified Contact Center Express	Version 10.6(1)
Cisco Unified Contact Center Express	Version 10.6(1)su1
Cisco Unified Contact Center Express	Version 10.6(1)su2
Cisco Unified Contact Center Express	Version 10.6(1)su2es04
Cisco Unified Contact Center Express	Version 10.6(1)su3
Cisco Unified Contact Center Express	Version 10.6(1)su3es01
Cisco Unified Contact Center Express	Version 10.6(1)su3es02
Cisco Unified Contact Center Express	Version 10.6(1)su3es03
Cisco Unified Contact Center Express	Version 11.0(1)su1
Cisco Unified Contact Center Express	Version 11.0(1)su1es02
Cisco Unified Contact Center Express	Version 11.0(1)su1es03
Cisco Unified Contact Center Express	Version 11.5(1)es01
Cisco Unified Contact Center Express	Version 11.5(1)su1
Cisco Unified Contact Center Express	Version 11.5(1)su1es01
Cisco Unified Contact Center Express	Version 11.5(1)su1es02
Cisco Unified Contact Center Express	Version 11.5(1)su1es03
Cisco Unified Contact Center Express	Version 11.6(1)
Cisco Unified Contact Center Express	Version 11.6(1)es01
Cisco Unified Contact Center Express	Version 11.6(1)es02
Cisco Unified Contact Center Express	Version 11.6(2)
Cisco Unified Contact Center Express	Version 11.6(2)es01
Cisco Unified Contact Center Express	Version 11.6(2)es02
Cisco Unified Contact Center Express	Version 11.6(2)es03
Cisco Unified Contact Center Express	Version 11.6(2)es04
Cisco Unified Contact Center Express	Version 11.6(2)es05
Cisco Unified Contact Center Express	Version 11.6(2)es06
Cisco Unified Contact Center Express	Version 11.6(2)es07
Cisco Unified Contact Center Express	Version 11.6(2)es08
Cisco Unified Contact Center Express	Version 12.0(1)
Cisco Unified Contact Center Express	Version 12.0(1)es01
Cisco Unified Contact Center Express	Version 12.0(1)es02
Cisco Unified Contact Center Express	Version 12.0(1)es03
Cisco Unified Contact Center Express	Version 12.0(1)es04
Cisco Unified Contact Center Express	Version 12.5(1)
Cisco Unified Contact Center Express	Version 12.5(1)_su01_es01
Cisco Unified Contact Center Express	Version 12.5(1)_su01_es02
Cisco Unified Contact Center Express	Version 12.5(1)_su01_es03
Cisco Unified Contact Center Express	Version 12.5(1)_su02_es01
Cisco Unified Contact Center Express	Version 12.5(1)_su02_es02
Cisco Unified Contact Center Express	Version 12.5(1)_su02_es03
Cisco Unified Contact Center Express	Version 12.5(1)_su02_es04
Cisco Unified Contact Center Express	Version 12.5(1)_su03_es01
Cisco Unified Contact Center Express	Version 12.5(1)_su03_es02
Cisco Unified Contact Center Express	Version 12.5(1)_su03_es03
Cisco Unified Contact Center Express	Version 12.5(1)_su03_es04
Cisco Unified Contact Center Express	Version 12.5(1)_su03_es05
Cisco Unified Contact Center Express	Version 12.5(1)_su03_es06
Cisco Unified Contact Center Express	Version 12.5(1)es01
Cisco Unified Contact Center Express	Version 12.5(1)es02
Cisco Unified Contact Center Express	Version 12.5(1)es03
Cisco Unified Contact Center Express	Version 12.5(1)su1
Cisco Unified Contact Center Express	Version 12.5(1)su2
Cisco Unified Contact Center Express	Version 12.5(1)su3
Cisco Unified Contact Center Express	Version 8.5(1)
Cisco Unified Contact Center Express	Version 9.0(2)su3es04

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-multi-UhOTvPGL

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.