CVE-2025-10280— Incorrect Content Type Cross-Site Scripting Vulnerability

Incorrect Content Type Cross-Site Scripting Vulnerability

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

SailPoint IdentityIQ 安全漏洞

SailPoint IdentityIQ是SailPoint公司的一个利用人工智能和机器学习实现无缝自动化供应的完整解决方案。 SailPoint IdentityIQ存在安全漏洞，该漏洞源于某些IdentityIQ Web服务可通过URL路径设置Content-Type为HTML，导致浏览器解释未正确转义的内容，可能引发跨站脚本攻击。

N/A

N/A