Input Handling Flaw in End of Life OVA Installer by Saviynt
CVE-2025-3840

2.1LOW

Key Information:

Vendor: Saviynt
Status: Ova Based Connect
Vendor: CVE Published:; 21 April 2025

What is CVE-2025-3840?

A significant input handling flaw has been discovered in Saviynt's End of Life OVA based connect installer. This vulnerability allows an attacker to manipulate the action parameter of the login form, potentially leading to Cross-Site Scripting (XSS) attacks. Although the component was deprecated in September 2023, its support extends until January 2024, thus posing ongoing risks to affected systems. Implementing proper input validation and sanitization practices is critical in mitigating the likelihood of such attacks.

Affected Version(s)

OVA based Connect Linux AlmaLinux-8.x_SC2.0-Client-2.0

OVA based Connect Linux AlmaLinux-8.x_SC2.0-Client-3.0

OVA based Connect Linux CentOS-7.x_SC2.0-Client-2.0

References

https://saviynt.com/trust-compliance-security

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2025
Vulnerability Reserved
Apr 21, 2025

Credit

Achmea Security Assessment Team (SAT)