A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Operator.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Cisco
  • Asyncos
  • Secure Email
  • Secure Email And Web Manager
  • Secure Email Gateway

Configuration 1 [-]

AND
OR cpe:2.3:a:cisco:secure_email_and_web_manager:12.8.1-002:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:12.8.1-021:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.0.0-249:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.0.0-277:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.6.1-201:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.6.2-023:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.6.2-078:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.8.1-052:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.8.1-068:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.8.1-074:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.8.1-108:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.0.0-404:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.1.0-227:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.2.0-203:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.2.0-212:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.2.0-224:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.3.0-120:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:15.0.0-334:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:15.5.1-024:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:15.5.1-029:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:15.5.2-005:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:16.0.0-195:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asyncos:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
OR cpe:2.3:a:cisco:secure_email_gateway:13.0.0-392:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:13.0.5-007:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:13.5.1-277:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:13.5.4-038:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:14.0.0-698:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:14.2.0-620:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:14.2.1-020:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:14.3.0-032:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.0.0-104:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.0.1-030:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.0.3-002:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.5.0-048:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.5.1-055:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.5.2-018:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:16.0.0-050:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:16.0.0-054:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asyncos:-:*:*:*:*:*:*:*

No data.

References
Link Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-xss-WCk2WcuG cve-icon cve-icon
History

Thu, 31 Jul 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Cisco asyncos
CPEs cpe:2.3:a:cisco:secure_email_and_web_manager:12.8.1-002:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:12.8.1-021:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.0.0-249:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.0.0-277:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.6.1-201:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.6.2-023:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.6.2-078:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.8.1-052:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.8.1-068:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.8.1-074:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:13.8.1-108:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.0.0-404:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.1.0-227:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.2.0-203:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.2.0-212:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.2.0-224:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:14.3.0-120:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:15.0.0-334:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:15.5.1-024:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:15.5.1-029:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:15.5.2-005:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_and_web_manager:16.0.0-195:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:13.0.0-392:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:13.0.5-007:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:13.5.1-277:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:13.5.4-038:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:14.0.0-698:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:14.2.0-620:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:14.2.1-020:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:14.3.0-032:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.0.0-104:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.0.1-030:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.0.3-002:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.5.0-048:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.5.1-055:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:15.5.2-018:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:16.0.0-050:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_email_gateway:16.0.0-054:*:*:*:*:*:*:*
cpe:2.3:o:cisco:asyncos:-:*:*:*:*:*:*:*
Vendors & Products Cisco asyncos

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0003}

 epss

{'score': 0.00038}

Wed, 05 Feb 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Feb 2025 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Operator.
Title Cisco Secure Email and Web Manager and Secure Email Gateway Cross-Site Scripting Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2025-02-05T16:14:11.746Z

Updated: 2025-02-05T17:20:45.616Z

Reserved: 2024-10-10T19:15:13.225Z

Link: CVE-2025-20180

cve-icon Vulnrichment

Updated: 2025-02-05T17:20:40.327Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-05T17:15:25.370

Modified: 2025-07-31T18:27:18.703

Link: CVE-2025-20180

cve-icon Redhat

No data.