CRITICAL🇵🇱 Wersja polska

CVE-2025-11925

CVSS 10.0v4.0pub. 2025-10-17upd. 2025-11-07

Incorrect Content-Type header in one of the APIs (`text/html` instead of `application/json`) replies may potentially allow injection of HTML/JavaScript into reply.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

The affected API returns responses with the Content-Type header set to text/html instead of the correct application/json. The browser or HTTP client interprets the response content as HTML, which opens the possibility of embedding and executing malicious HTML or JavaScript code in the context of that response. The error is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions), which means a lack of proper verification and sanitization of API output data.

Impact

An attacker can potentially inject and execute malicious HTML/JavaScript code in the victim's browser (XSS), which may lead to session hijacking, credential theft, or execution of unauthorized actions on behalf of the user. The full CVSS 10.0 vector indicates a possible critical impact on confidentiality, integrity, and availability of both the target system and related systems.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references published at https://azure-access.com/security-advisories. Until the update is applied, it is recommended to restrict access to affected APIs only to trusted networks and monitor network traffic for suspicious responses.

Who is affected

Azure-Access BLU-IC2 in versions up to and including 1.19.5 and Azure-Access BLU-IC4 in versions up to and including 1.19.5 (along with corresponding firmware versions).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4