CVE-2025-10280

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sailpoint:identityiq::::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:-::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:patch1::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:patch2::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:patch4::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:patch5::::::
	cpe:2.3:a:sailpoint:identityiq:8.4:-::::::
	cpe:2.3:a:sailpoint:identityiq:8.4:patch1::::::
	cpe:2.3:a:sailpoint:identityiq:8.4:patch2::::::
	cpe:2.3:a:sailpoint:identityiq:8.5:-::::::

History

No history.

Information

Published : 2025-11-03 17:15

Updated : 2025-11-12 14:49

NVD link : CVE-2025-10280

Mitre link : CVE-2025-10280

CVE.ORG link : CVE-2025-10280

JSON object : View

Products Affected

sailpoint

identityiq

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-10280", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@sailpoint.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-11-03T17:15:32.527", "references": [{"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280", "tags": ["Vendor Advisory"], "source": "psirt@sailpoint.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@sailpoint.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "IdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS)."}], "lastModified": "2025-11-12T14:49:56.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7992F80-093D-4277-9AA8-5438ABFBF83B", "versionEndExcluding": "8.3"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A2FD228-E6DB-49E3-BE3E-1BF9B0434FC0"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0652D99D-DC1E-4E22-8E7D-AE080494C50B"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7964011-B0F1-4F07-8C14-6EEA0B421F80"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BC4F08D-A3FB-41F6-8EFD-6F34FBC0F75F"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:patch1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4ECFADA6-BB7B-4228-9434-B92B2FF21481"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:patch2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A39B1317-37C0-49DA-9207-7B7CBE6EC190"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.5:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01FF7480-9CBA-4283-994C-B2586C2F5F54"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@sailpoint.com"}