CVE-2025-10280
- Source
- https://cve.org/CVERecord?id=CVE-2025-10280
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10280.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-10280
- Published
- 2025-11-03T17:15:32.527Z
- Modified
- 2026-03-12T17:32:53.405310Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
- References
Affected packages
Git /
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.3-NA"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.3-patch1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.3-patch2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.3-patch4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.3-patch5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.4-NA"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.4-patch1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.4-patch2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.5-NA"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10280.json"