CVE Catalog

CVE-2025-40900

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

11th percentile - higher than 11% of all known CVEs

Summary

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload.

Risk Assessment

An attacker can modify application data or disrupt application availability when the victim views or imports the malicious report template. Existing input validation and Content Security Policy configuration prevent full XSS exploitation and direct information disclosure.

Recommendation

It is recommended to review and strengthen input parameter validation and to monitor the activities of users with report privileges to detect potential attack attempts.

Original NVD description (English source)

An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS