Details of VAR-202501-0173

ID

VAR-202501-0173

CVE

CVE-2025-20123

TITLE

Cisco Crosswork Network Controller Cross-Site Scripting Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-01383

DESCRIPTION

Multiple vulnerabilities in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users of the interface of an affected system. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by inserting malicious data into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Cisco Crosswork Network Controller is a network controller of Cisco. When the malicious data is viewed, sensitive information can be obtained or user sessions can be hijacked

Trust: 1.44

sources: NVD: CVE-2025-20123 // CNVD: CNVD-2025-01383

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-01383

AFFECTED PRODUCTS

vendor:

cisco

model:

crosswork network controller

scope:

version:

Trust: 0.6

sources: CNVD: CNVD-2025-01383

CVSS

SEVERITY

CVSSV2

CVSSV3

ykramarz@cisco.com:	CVE-2025-20123
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2025-01383
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-01383
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ykramarz@cisco.com:	CVE-2025-20123
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-01383 // NVD: CVE-2025-20123

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.0

sources: NVD: CVE-2025-20123

PATCH

title:

Patch for Cisco Crosswork Network Controller Cross-Site Scripting Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/651341

Trust: 0.6

sources: CNVD: CNVD-2025-01383

EXTERNAL IDS

db:	NVD	id:	CVE-2025-20123	Trust: 1.6
db:	CNVD	id:	CNVD-2025-01383	Trust: 0.6

sources: CNVD: CNVD-2025-01383 // NVD: CVE-2025-20123

REFERENCES

url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-xwork-xss-kccg7wwu	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-20123	Trust: 0.6

sources: CNVD: CNVD-2025-01383 // NVD: CVE-2025-20123

SOURCES

db:	CNVD	id:	CNVD-2025-01383
db:	NVD	id:	CVE-2025-20123

LAST UPDATE DATE

2025-01-21T23:07:33.009000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-01383	date:	2025-01-14T00:00:00
db:	NVD	id:	CVE-2025-20123	date:	2025-01-08T16:15:38.150

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-01383	date:	2025-01-14T00:00:00
db:	NVD	id:	CVE-2025-20123	date:	2025-01-08T16:15:38.150