Refine your search
5 vulnerabilities found for identityiq by sailpoint
CVE-2025-10280 (GCVE-0-2025-10280)
Vulnerability from nvd
Published
2025-11-03 16:35
Modified
2025-11-06 20:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
IdentityIQ
8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and
all 8.3 patch levels including 8.3p5, and all prior versions allows some
IdentityIQ web services that provide non-HTML content to be accessed via a URL
path that will set the Content-Type to HTML allowing a requesting browser to
interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Version: 8.5 ≤ Version: 8.4 ≤ Version: 8.3 ≤ 8.3p5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T04:55:16.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"status": "affected",
"version": "8.5",
"versionType": "semver"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-03T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS). \u003c/p\u003e"
}
],
"value": "IdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS)."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:45:31.741Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Content Type Cross-Site Scripting Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2025-10280",
"datePublished": "2025-11-03T16:35:56.241Z",
"dateReserved": "2025-09-11T16:02:56.954Z",
"dateUpdated": "2025-11-06T20:45:31.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10905 (GCVE-0-2024-10905)
Vulnerability from nvd
Published
2024-12-02 14:49
Modified
2025-01-06 17:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-66 - Improper Handling of File Names that Identify Virtual Resources
Summary
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Version: 8.2 ≤ Version: 8.3 ≤ Version: 8.4 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T04:55:24.996838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:42:22.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\n\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-66",
"description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:57:12.682Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e"
}
],
"value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-10905",
"datePublished": "2024-12-02T14:49:51.199Z",
"dateReserved": "2024-11-05T20:21:47.258Z",
"dateUpdated": "2025-01-06T17:42:22.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2228 (GCVE-0-2024-2228)
Vulnerability from nvd
Published
2024-03-22 15:50
Modified
2024-08-01 19:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Version: 8.1 ≤ Version: 8.2 ≤ Version: 8.3 ≤ Version: 8.4 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T18:33:57.066222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:16.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-03-21T15:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:50:09.729Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Authorization of QuickLink Target Identities Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2228",
"datePublished": "2024-03-22T15:50:09.729Z",
"dateReserved": "2024-03-06T17:01:59.959Z",
"dateUpdated": "2024-08-01T19:03:39.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2227 (GCVE-0-2024-2227)
Vulnerability from nvd
Published
2024-03-22 15:43
Modified
2024-08-01 19:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Version: 8.1 ≤ Version: 8.2 ≤ Version: 8.3 ≤ Version: 8.4 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-30T04:00:58.434391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T18:45:07.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jose Domingo Carillo Lencina, 0xd0m7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:43:12.869Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ JavaServer Faces File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2227",
"datePublished": "2024-03-22T15:43:12.869Z",
"dateReserved": "2024-03-06T17:01:38.789Z",
"dateUpdated": "2024-08-01T19:03:39.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10280 (GCVE-0-2025-10280)
Vulnerability from cvelistv5
Published
2025-11-03 16:35
Modified
2025-11-06 20:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
IdentityIQ
8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and
all 8.3 patch levels including 8.3p5, and all prior versions allows some
IdentityIQ web services that provide non-HTML content to be accessed via a URL
path that will set the Content-Type to HTML allowing a requesting browser to
interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Version: 8.5 ≤ Version: 8.4 ≤ Version: 8.3 ≤ 8.3p5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T04:55:16.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"status": "affected",
"version": "8.5",
"versionType": "semver"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-03T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS). \u003c/p\u003e"
}
],
"value": "IdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS)."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:45:31.741Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Content Type Cross-Site Scripting Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2025-10280",
"datePublished": "2025-11-03T16:35:56.241Z",
"dateReserved": "2025-09-11T16:02:56.954Z",
"dateUpdated": "2025-11-06T20:45:31.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}