CVE-2025-20330

Published: Sep 3, 2025Modified: Sep 10, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: psirt@cisco.com (Secondary)

Description

A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Affected (3)

Products: Cisco: Unified Communications Manager Im And Presence Service

Cisco

1 product

Unified Communications Manager Im And Presence Service

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Cisco Unified Communications Manager Im And Presence Service	From 15.0 to 15su3
Cisco Unified Communications Manager Im And Presence Service	Version 12.5
Cisco Unified Communications Manager Im And Presence Service	Version 14.0

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-imp-xss-XQgu4HSG

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.