Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22270

Severity CVSS v4.0:
HIGH
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
28/02/2025
Last modified:
05/03/2025

Description

An attacker with access to the Administration panel, specifically the "Role Management"<br /> tab, can<br /> inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the<br /> required additional error that allows bypassing the Content-Security-Policy policy, which<br /> mitigates JS code execution while still allowing HTML injection.<br /> <br /> <br /> This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 7.30 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): High
User Interaction (UI): Passsive
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0
7.30
Severity 4.0
HIGH

References to Advisories, Solutions, and Tools