CVE-2025-46545
4.4
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Summary
In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Sherpa | Orchestrator | 141851 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://sherparpa.com
- https://twitter.com/ArtyomBrylev
- https://deiteriy.com
- https://gist.github.com/ArtemBrylev/5a0c76285d5fa9daf4ec753034185de7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.