Stored Cross-Site Scripting Vulnerability in OpenZiti Admin Panel
CVE-2025-27500

6.1MEDIUM

Key Information:

Vendor: Openziti
Status: Ziti-console
Vendor: CVE Published:; 3 March 2025

What is CVE-2025-27500?

An unauthenticated endpoint on OpenZiti's admin panel allows file uploads via an HTTP POST request to the /api/upload path. This endpoint lacks proper authentication measures, enabling potential malicious actors to upload files with harmful code. If users access these files, it can lead to a stored cross-site scripting attack, compromising user sessions and sensitive information. This vulnerability has been addressed in version 3.7.1, which disables the insecure upload functionality as the application transitions from a node server architecture to a single page application.

Affected Version(s)

ziti-console < 3.7.1

References

https://github.com/openziti/ziti-console/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2025
Vulnerability Reserved
Feb 26, 2025

CVE-2025-27500 Data

JSON

Openziti

What is CVE-2025-27500?

Affected Version(s)

References

CVSS V3.1

Timeline