CVE-2025-20330 | THREATINT

Description

A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

PUBLISHED Reserved 2024-10-10 | Published 2025-09-03 | Updated 2025-09-04 | Assigner cisco

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unknown

12.5(1)

affected

12.5(1)SU1

affected

12.5(1)SU2

affected

12.5(1)SU3

affected

12.5(1)SU4

affected

12.5(1)SU5

affected

14SU1

affected

12.5(1)SU6

affected

14SU2

affected

14SU2a

affected

12.5(1)SU7

affected

14SU3

affected

12.5(1)SU8

affected

15SU1

affected

14SU4

affected

12.5(1)SU9

affected

15SU2

affected

References

sec.cloudapps.cisco.com/...dvisory/cisco-sa-imp-xss-XQgu4HSG (cisco-sa-imp-xss-XQgu4HSG)

cve.org (CVE-2025-20330)

nvd.nist.gov (CVE-2025-20330)

Download JSON