CVE-2025-20204

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. 

This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Published: Feb 5, 2025
Updated: May 4, 2025
CVE: CVE-2025-20204
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
cisco / identity_services_engine	3.4.0	3.4.0.x
cisco / identity_services_engine	3.3.0	3.3.0.x
cisco / identity_services_engine	3.2.0	3.2.0.x
cisco / identity_services_engine	3.2.0-patch1	3.2.0-patch1.x
cisco / identity_services_engine	3.2.0-patch3	3.2.0-patch3.x
cisco / identity_services_engine	3.2.0-patch2	3.2.0-patch2.x
cisco / identity_services_engine	3.0.0	3.2
cisco / identity_services_engine	3.2.0-patch4	3.2.0-patch4.x
cisco / identity_services_engine	3.2.0-patch5	3.2.0-patch5.x
cisco / identity_services_engine	3.2.0-patch6	3.2.0-patch6.x
cisco / identity_services_engine	3.2.0-patch7	3.2.0-patch7.x
cisco / identity_services_engine	3.3.0-patch1	3.3.0-patch1.x
cisco / identity_services_engine	3.3.0-patch2	3.3.0-patch2.x

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-42tgsdMG

Vulnerability Database

289,599

CVE-2025-20204