CVE Catalog

CVE-2025-40904

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile - higher than 9% of all known CVEs

Summary

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags, which render in the victim's browser.

Risk Assessment

This vulnerability may lead to phishing attacks and potentially open redirect attacks. Although full XSS exploitation and direct information disclosure are mitigated by existing input validation and Content Security Policy configuration, the risk remains.

Recommendation

It is recommended to review and strengthen input parameter validation and to monitor user activity for potential exploitation attempts.

Original NVD description (English source)

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS