Incomplete Denylist to Cross-Site Scripting

CVE-2025-20240

Medium

6.1/10

Summary

A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute a reflected XSS attack and steal user cookies from the affected device.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-692 - Incomplete Denylist to Cross-Site Scripting

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

References

Advisory Timeline

Published Sep 24, 2025

Incomplete Denylist to Cross-Site Scripting

CVE-2025-20240

Summary

CWE-692 - Incomplete Denylist to Cross-Site Scripting

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS