Severity
Medium
Analysis Summary
CVE-2025-20123 CVSS:4.8
Multiple vulnerabilities in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users of the interface of an affected system.
CVE-2025-20126 CVSS:4.8
A vulnerability in certification validation routines of Cisco ThousandEyes Endpoint Agent for macOS and RoomOS could allow an unauthenticated, remote attacker to intercept or manipulate metrics information.
CVE-2025-20166 CVSS:5.4
A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.
CVE-2025-20167 CVSS:5.4
A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.
CVE-2025-20168 CVSS:5.4
A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.
Impact
- Gain Access
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-20123
CVE-2025-20126
CVE-2025-20166
CVE-2025-20167
CVE-2025-20168
Affected Vendors
Affected Products
- Cisco Crosswork Network Controller
- Cisco ThousandEyes Endpoint Agent for macOS - 1.200
- Cisco ThousandEyes Endpoint Agent for RoomOS - 1.200
- Cisco Common Services Platform Collector (CSPC)
Remediation
Refer to Cisco Security Advisory for patch, upgrade, or suggested workaround information.