{"schema_version":"public-product-v1.1","generated_at":"2026-06-10T12:19:26Z","exposure_verdict":"not_assessed","verdict_reason":"Public evidence does not evaluate exact release, platform, enabled features, configuration, compensating controls, or live exposure.","advisory":{"id":"cisco-sa-ece-xss-CbtKtEYc","slug":"cisco-sa-ece-xss-cbtkteyc","vendor":"Cisco","title":"Cisco Enterprise Chat and Email Stored Cross-Site Scripting Vulnerability","summary":"A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid&nbsp;agent&nbsp;credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. There is a mitigation that addresses this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-xss-CbtKtEYc","severity":"Medium","published_at":"2025-07-02T16:00:00Z","updated_at":"2025-07-02T16:00:00Z","source_url":"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-xss-CbtKtEYc","csaf_url":"https://sec.cloudapps.cisco.com/security/center/contentjson/CiscoSecurityAdvisory/cisco-sa-ece-xss-CbtKtEYc/csaf/cisco-sa-ece-xss-CbtKtEYc.json","exposure_verdict":"not_assessed","verdict_reason":"Public evidence does not evaluate exact release, platform, enabled features, configuration, compensating controls, or live exposure."},"freshness":{"last_source_refreshed_at":"2026-05-26T00:00:03Z","latest_source_refresh_at":"2026-05-26T00:00:03Z","oldest_source_refresh_at":"2026-05-22T00:16:33Z","all_sources_fresh":false,"sources":[{"source":"cisco_advisories","label":"Cisco advisories","last_success_at":"2026-05-26T00:00:03Z","stale":true},{"source":"cisco_csaf","label":"Cisco CSAF","last_success_at":"2026-05-25T03:03:26Z","stale":true},{"source":"nvd_cves","label":"NVD CVEs","last_success_at":"2026-05-22T00:16:33Z","stale":true},{"source":"cisa_kev","label":"CISA KEV","last_success_at":"2026-05-22T00:16:34Z","stale":true},{"source":"first_epss","label":"EPSS","last_success_at":"2026-05-22T00:16:40Z","stale":true}]},"summary":{"cve_count":1,"visible_product_count":1,"public_evidence_count":1,"kev_count":0,"highest_epss":0.00122,"highest_cvss":6.1},"cves":[{"id":"CVE-2025-20310","description":"A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.\r\n\r\nThis vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid&nbsp;agent&nbsp;credentials.","severity":"MEDIUM","kev":false,"epss":{"score":0.00122,"percentile":0.30722,"score_date":"2026-05-21","updated_at":"2026-05-22T00:16:40Z"},"cvss_score":6.1,"cvss_source":"NVD","cwe":"CWE-79","published_at":"2025-07-02T16:15:28Z","modified_at":"2025-07-31T16:58:29Z"}],"public_evidence":[{"product":{"name":"Cisco Enterprise Chat and Email","slug":"cisco-enterprise-chat-and-email","vendor":"Cisco"},"cve":{"id":"CVE-2025-20310"},"evidence_type":"structured_affected","evidence_label":{"scope":"CSAF product evidence","label":"product_status known affected"},"evidence_source":"Cisco CSAF","source":"Cisco CSAF","source_document_fetched_at":"2026-05-19T19:55:57Z","csaf_status":"known_affected","csaf_product_status":"known_affected","csaf_product_status_path":"vulnerabilities[].product_status.known_affected","raw_product_name":"Cisco Enterprise Chat and Email","exposure_verdict":"not_assessed","verdict_reason":"Public evidence does not evaluate exact release, platform, enabled features, configuration, compensating controls, or live exposure.","exposure_verdict_reason":"Public evidence does not evaluate exact release, platform, enabled features, configuration, compensating controls, or live exposure.","kev":false,"epss":{"score":0.00122,"score_date":"2026-05-21","updated_at":"2026-05-22T00:16:40Z"},"cvss_score":6.1,"cvss_source":"NVD","published_at":"2025-07-02T16:00:00Z","updated_at":"2025-07-02T16:00:00Z","advisory_updated_at":"2025-07-02T16:00:00Z","source_url":"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-xss-CbtKtEYc","remediation":{"url":"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-xss-CbtKtEYc"},"row_display_order":1}]}