Stored Cross-Site Scripting Vulnerability in Nozomi Networks Products
CVE-2025-40899
7.1HIGH
What is CVE-2025-40899?
A stored cross-site scripting vulnerability exists in Nozomi Networks products, specifically affecting the Assets and Nodes functionality. This issue arises from inadequate input validation, allowing authenticated users with custom fields privileges to introduce malicious JavaScript payloads in custom fields. When victims access the Assets or Nodes pages, the embedded scripts execute within their browser context. As a result, attackers can leverage this flaw to perform unauthorized operations, including data modification, service disruption, and unauthorized access to sensitive information.
Affected Version(s)
CMC 0 < 26.0.0
Guardian 0 < 26.0.0
References
CVSS V4
Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This issue was found by Andrea Palanca of Nozomi Networks Product Security team during an internal investigation.