CVE-2025-50055Cross-site Scripting in Access Server

CWE-79Cross-site ScriptingCWE-415Double Free3 documents3 sources
Severity
6.4MEDIUMNVD
EPSS
0.0%
top 88.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Openvpn Access ServerMsrc Azl3 Kernel 6.6.56.1-5 ON Azure Linux 3.0Msrc Azl3 Kernel 6.6.57.1-1 ON Azure Linux 3.0+4 more
Timeline
PublishedOct 27

Description

Cross-site scripting (XSS) vulnerability in the SAML Authentication module in OpenVPN Access Server version 2.14.0 through 2.14.3 allows configured remote SAML Assertion Consumer Service (ACS) endpoint servers to inject arbitrary web script or HTML via the RelayState parameter

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages7 packages

CVEListV5openvpn/access_server2.14.02.14.3

🔴Vulnerability Details

1
GHSA
GHSA-pcpf-m9xc-438x: Cross-site scripting (XSS) vulnerability in the SAML Authentication module in OpenVPN Access Server version 22025-10-27

📋Vendor Advisories

1
Microsoft
driver core: bus: Fix double free in driver API bus_register()2024-10-08
CVE-2025-50055 — Cross-site Scripting in Access Server | cvebase