CVE-2025-20166

Description

A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on an affected device. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVSS v3.1 Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weakness Type (CWE)

CWE-86 CWE-86

Affected Products

Vendor	Product	Versions
cisco	crosswork_network_controller	5.0.0 — 5.0.4
cisco	crosswork_network_controller	6.0.0 — 6.0.3
cisco	crosswork_network_controller	7.0.0 — 7.0.1
cisco	common_services_platform_collector	All
cisco	common_services_platform_collector	All
cisco	common_services_platform_collector	All
cisco	common_services_platform_collector	All
cisco	common_services_platform_collector	All

References

Advisories & Patches

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cspc-xss-CDOJZyH https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xwork-xss-KCcg7WwU

Frequently Asked Questions

What is CVE-2025-20166? +

A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on an affected device. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability. It has a CVSS v3.1 base score of 5.4 (MEDIUM).

How severe is CVE-2025-20166? +

CVE-2025-20166 has a CVSS v3.1 score of 5.4 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-20166? +

CVE-2025-20166 affects products from cisco, specifically: common_services_platform_collector, crosswork_network_controller. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-20166? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-21864 7.8

Improper neutralization in some Intel(R) Arc(TM) & Iris(R) Xe Graphics software before version 31.0.101.5081 may allow an unauthenticated user to …

CVE-2021-33158 7.2

Improper neutralization in some Intel(R) Ethernet Adapters and Intel(R) Ethernet Controller I225 Manageability firmware may allow a privileged user to …

CVE-2024-10941 6.5

A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. This vulnerability …

CVE-2025-20167 5.4

A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker …

CVE-2025-20168 5.4