CVE-2025-27102

Source
https://cve.org/CVERecord?id=CVE-2025-27102
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27102.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27102
Aliases
  • GHSA-v3wj-7vj5-xj5v
Published
2025-03-17T13:11:53.696Z
Modified
2026-04-10T05:24:39.442129Z
Severity
  • 5.4 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P CVSS Calculator
Summary
Agate vulnerable to HTML injection in user signup - Administrator phishing risk
Details

Agate is central authentication server software for OBiBa epidemiology applications. Prior to version 3.3.0, when registering for an Agate account, arbitrary HTML code can be injected into a user's first and last name. This HTML is then rendered in the email sent to administrative users. The Agate service account sends this email and appears trustworthy, making this a significant risk for phishing attacks. Administrative users are impacted, as they can be targeted by unauthenticated users. Version 3.3.0 fixes the issue.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27102.json"
}
References

Affected packages

Git / github.com/obiba/agate

Affected ranges

Type
GIT
Repo
https://github.com/obiba/agate
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

3.*
3.1.0
3.1.1
3.2.0
3.2.0-RC1
3.2.0-RC2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27102.json"