Impact
A flaw in the Radware Cyber Controller, present in all releases up to 10.11.0, permits an attacker to inject arbitrary HTML into the reports it generates. The vulnerability is identified as HTML injection (CWE‑74) and results in client‑side script execution (CWE‑80). Remote users can trigger the defect through the report‑generation API. While the CVE description does not specify authentication requirements, it is inferred that the endpoint may be reachable without credentials, but this inference is not confirmed. The CVE description notes that an exploit has been disclosed publicly and may be used, indicating that attackers have a working exploit available. This can lead to session hijacking, data theft, or defacement of the reporting interface.
Affected Systems
Systems running Radware Cyber Controller versions 10.11.0 or earlier host the vulnerable component. The exact module within the platform is unspecified, but the issue resides in the HTML Report Generation functionality accessible via the web API.
Risk and Exploitability
The CVSS base score of 5.1 indicates a moderate overall risk. The EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. However, the CVE description notes that an exploit has been disclosed publicly and may be used, implying that attackers have access to a working exploit. The flaw requires only network access to the report‑generation endpoint; authentication requirements are not explicitly stated, and it is inferred that the endpoint may be reachable without credentials, but this inference is not guaranteed. Because the vulnerability allows client‑side script execution when a crafted report is viewed, the impact is primarily on users who open the report, and can be mitigated by restricting access to the endpoint or applying defensive coding measures.
OpenCVE Enrichment