Cisco Identity Services Engine (cisco-sa-ise_xss_acc_cont-YsR4uT4U)

medium Nessus Plugin ID 244061

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

According to its self-reported version, Cisco ISE is affected by a vulnerability.

- A vulnerability in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on the affected device. (CVE-2025-20331)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCwk14928, CSCwm03606

See Also

http://www.nessus.org/u?1371b1c0

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk14928

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwm03606

Plugin Details

Severity: Medium

ID: 244061

File Name: cisco-sa-ise_xss_acc_cont-YsR4uT4U_CVE-2025-20331.nasl

Version: 1.1

Type: local

Family: CISCO

Published: 8/6/2025

Updated: 8/6/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2025-20331

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:identity_services_engine, cpe:/h:cisco:identity_services_engine, cpe:/a:cisco:identity_services_engine_software

Required KB Items: Host/Cisco/ISE/version

Exploit Ease: No known exploits are available

Patch Publication Date: 8/6/2025

Vulnerability Publication Date: 8/6/2025

Reference Information

CVE: CVE-2025-20331