A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected device.
This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute a reflected XSS attack and steal user cookies from the affected device.
References
Configurations
No configuration.
History
26 Sep 2025, 18:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute a reflected XSS attack and steal user cookies from the affected device. |
24 Sep 2025, 18:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-24 18:15
Updated : 2025-09-26 18:15
NVD link : CVE-2025-20240
Mitre link : CVE-2025-20240
CVE.ORG link : CVE-2025-20240
JSON object : View
Products Affected
No product.
CWE
CWE-692
Incomplete Denylist to Cross-Site Scripting