HIGH🇬🇧 English

CVE-2025-40892

CVSS 7.1v4.0pub. 2025-12-18upd. 2026-04-14

A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Nozominetworks Cmc

    APP
    Nozominetworks
    < 25.5.0
  • Nozominetworks Guardian

    APP
    Nozominetworks
    < 25.5.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
XSS
CWE
Referencje

Powiązane podatności

CVE-2023-29245CRITICAL9.2ten sam produkt

A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in certain...

CVE-2025-40898HIGH7.2ten sam produkt

A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient...

CVE-2025-3719HIGH7.2ten sam produkt

An access control vulnerability was discovered in the CLI functionality due to a specific access restriction n...

CVE-2025-40886HIGH7.7ten sam produkt

A SQL Injection vulnerability was discovered in the Alert functionality due to improper validation of an input...

CVE-2025-40889HIGH7.2ten sam produkt

A path traversal vulnerability was discovered in the Time Machine functionality due to missing validation of t...