CVE-2025-6725
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
In the PdfViewer component, a Cross-Site Scripting (XSS) vulnerability is possible if a specially-crafted document has already been loaded and the user engages with a tool that requires the DOM to be re-rendered.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Progress Software | Kendo UI for jQuery | 2024.4.1112 <= 2025.2.520 | affected |
| Progress Software | Kendo UI for Angular | 18.5.0 <= 19.1.2 | affected |
| Progress Software | KendoReact | 5.10.0 <= 11.1.0 | affected |
| Progress Software | Telerik UI for ASP.NET MVC | 2024.4.1112 <= 2025.2.520 | affected |
| Progress Software | Telerik UI for ASP.NET Core | 2024.4.1112 <= 2025.2.520 | affected |
| Progress Software | Telerik UI for Blazor | 3.6.0 <= 9.0.0 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.telerik.com/blazor-ui/documentation/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725
- https://www.telerik.com/aspnet-core-ui/documentation/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
- https://www.telerik.com/aspnet-mvc/documentation/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
- https://www.telerik.com/kendo-jquery-ui/documentation/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
- https://www.telerik.com/kendo-angular-ui/components/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
- https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.