This vulnerability involves improper neutralization of input during web page generation in the Cisco IOx application hosting environment management interface within Cisco IOS XE Software. An attacker with valid administrative credentials can inject malicious scripts that are stored and executed when a user accesses the affected web interface. This stored XSS flaw stems from insufficient input validation, potentially allowing script execution in the context of the management interface and unauthorized access to browser-based sensitive information. The vulnerability affects a wide range of Cisco IOS XE versions as listed. The CVSS 3.1 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, user interaction required, and impact on confidentiality and integrity but not availability. No patch or vendor advisory details are provided in the input.

An authenticated attacker with administrative privileges can exploit this vulnerability to execute arbitrary script code within the web-based management interface of affected Cisco IOS XE devices. This could lead to unauthorized access to sensitive information accessible via the browser and potentially manipulation of the interface in the context of the victim user. The impact is limited to confidentiality and integrity with no direct availability impact. Exploitation requires valid administrative credentials and user interaction.

Patch status is not yet confirmed — check the Cisco vendor advisory for current remediation guidance. Since exploitation requires valid administrative credentials, ensure strong credential management and restrict administrative access to trusted personnel. Monitor Cisco advisories for official fixes or workarounds. Avoid using the web interface from untrusted environments until a fix is applied.