Stored HTML Injection Vulnerability in Smart Polling by Vendor
CVE-2025-40904
5.1MEDIUM
What is CVE-2025-40904?
A Stored HTML Injection vulnerability was identified within the Smart Polling functionality due to inadequate validation of input parameters. This issue allows authenticated users with limited privileges to inject malicious HTML content into remote strategies. When a victim attempts to access these strategies, the malicious code is rendered in their browser, potentially enabling phishing attempts and redirecting users to harmful sites. Fortunately, protections like existing input validation and a well-configured Content Security Policy mitigate full XSS exploitation and limit information disclosure risks.
Affected Version(s)
CMC 0 < 26.1.0
Guardian 0 < 26.1.0
References
CVSS V4
Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This issue was found by Stefano Libero and Andrea Palanca of Nozomi Networks Product Security team during an internal investigation.