{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3840", "assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "state": "PUBLISHED", "assignerShortName": "Saviynt", "dateReserved": "2025-04-21T09:34:01.701Z", "datePublished": "2025-04-21T09:39:16.343Z", "dateUpdated": "2025-04-21T12:38:16.967Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "OVA based Connect", "platforms": ["Linux"], "product": "OVA based Connect", "vendor": "Saviynt", "versions": [{"status": "affected", "version": "AlmaLinux-8.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "AlmaLinux-8.x_SC2.0-Client-3.0"}, {"status": "affected", "version": "CentOS-7.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "CentOS-7.x_SC2.0-Client-3.0"}, {"status": "affected", "version": "RHEL-8.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "RHEL-8.x_SC2.0-Client-3.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Achmea Security Assessment Team (SAT)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. </span><span style=\"background-color: transparent;\">An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.</span><br>"}], "value": "An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 2.1, "baseSeverity": "LOW", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "shortName": "Saviynt", "dateUpdated": "2025-04-21T09:39:16.343Z"}, "references": [{"url": "https://saviynt.com/trust-compliance-security"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow this documentation </span><span style=\"background-color: transparent;\"><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\">link</a></span><span style=\"background-color: transparent;\">&nbsp;and migrate to the latest version of Saviynt Connect component</span><br>"}], "value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-21T12:37:34.087132Z", "id": "CVE-2025-3840", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T12:38:16.967Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3840", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-21T12:37:34.087132Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T12:38:05.573Z"}}], "cna": {"title": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Achmea Security Assessment Team (SAT)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Saviynt", "product": "OVA based Connect", "versions": [{"status": "affected", "version": "AlmaLinux-8.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "AlmaLinux-8.x_SC2.0-Client-3.0"}, {"status": "affected", "version": "CentOS-7.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "CentOS-7.x_SC2.0-Client-3.0"}, {"status": "affected", "version": "RHEL-8.x_SC2.0-Client-2.0"}, {"status": "affected", "version": "RHEL-8.x_SC2.0-Client-3.0"}], "platforms": ["Linux"], "packageName": "OVA based Connect", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow this documentation </span><span style=\"background-color: transparent;\"><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\">link</a></span><span style=\"background-color: transparent;\">&nbsp;and migrate to the latest version of Saviynt Connect component</span><br>", "base64": false}]}], "references": [{"url": "https://saviynt.com/trust-compliance-security"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: transparent;\">An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. </span><span style=\"background-color: transparent;\">An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "shortName": "Saviynt", "dateUpdated": "2025-04-21T09:39:16.343Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3840", "state": "PUBLISHED", "dateUpdated": "2025-04-21T12:38:16.967Z", "dateReserved": "2025-04-21T09:34:01.701Z", "assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "datePublished": "2025-04-21T09:39:16.343Z", "assignerShortName": "Saviynt"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions."}], "id": "CVE-2025-3840", "lastModified": "2025-04-21T14:23:45.950", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "type": "Secondary"}]}, "published": "2025-04-21T10:15:15.643", "references": [{"source": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "url": "https://saviynt.com/trust-compliance-security"}], "sourceIdentifier": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "bd8dbf88-98d9-42c6-be08-cf8e48a32093", "type": "Secondary"}]}

{}

{}