Detections
Analytics

Cisco Secure Email and Web Manager XSS (cisco-sa-esa-sma-xss-WCk2WcuG)

medium Nessus Plugin ID 216072

Language:

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

According to its self-reported version, Cisco Secure Email and Web Manager Cross-Site Scripting is affected by a vulnerability.

 - A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Operator. (CVE-2025-20180)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCwn25954

See Also

http://www.nessus.org/u?3cf44498

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwn25954

Plugin Details

Severity: Medium

ID: 216072

File Name: cisco-sa-esa-sma-xss-WCk2WcuG_sma.nasl

Version: 1.1

Type: combined

Family: CISCO

Published: 2/11/2025

Updated: 2/11/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.6

CVSS v2

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 3.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:N

CVSS Score Source: CVE-2025-20180

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:cisco:content_security_management_appliance, x-cpe:/o:cisco:secure_email_and_web_manager, cpe:/a:cisco:content_security_management_appliance

Required KB Items: Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion, Host/AsyncOS/Cisco Content Security Management Appliance/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 2/5/2025

Vulnerability Publication Date: 2/5/2025

Reference Information

CVE: CVE-2025-20180

CWE: 79

CISCO-SA: cisco-sa-esa-sma-xss-WCk2WcuG

IAVA: 2025-A-0082

CISCO-BUG-ID: CSCwn25954