Home

Description

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).

PUBLISHED Reserved 2025-09-11 | Published 2025-11-03 | Updated 2025-11-06 | Assigner SailPoint




HIGH: 7.1CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status
affected

8.5 (semver)
affected

8.4 (semver) before 8.4p4
affected

8.3 (semver)
affected

References

www.sailpoint.com/...-scripting-vulnerability-cve-2025-10280

cve.org (CVE-2025-10280)

nvd.nist.gov (CVE-2025-10280)

Download JSON