CVE-2025-10280Cross-site Scripting in Technologies Identityiq

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
CNA7.1
EPSS
0.0%
top 92.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Sailpoint Technologies IdentityiqSailpoint Identityiq
Timeline
PublishedNov 3

Description

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5sailpoint_technologies/identityiq8.48.4p4+2

🔴Vulnerability Details

2
CVEList
Incorrect Content Type Cross-Site Scripting Vulnerability2025-11-03
GHSA
GHSA-799h-grwr-q8wh: IdentityIQ 82025-11-03
CVE-2025-10280 — Cross-site Scripting | cvebase