CVE-2025-40904
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
Summary
A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Nozomi Networks | Guardian | 0 < 26.1.0 | affected |
| Nozomi Networks | CMC | 0 < 26.1.0 | affected |
Weaknesses
- CWE-79: CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')
Workarounds
Review all enabled sensors and disallow or delete untrusted ones.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.