Home

Description

A client-side path traversal vulnerability was discovered in the web management interface front-end due to missing validation of an input parameter. An authenticated user with limited privileges can craft a malicious URL which, if visited by an authenticated victim, leads to a Cross-Site Scripting (XSS) attack.

PUBLISHED Reserved 2025-04-16 | Published 2025-10-07 | Updated 2025-10-07 | Assigner Nozomi




MEDIUM: 5.8CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:L/SA:L

HIGH: 7.9CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 25.2.0
affected

Default status
unaffected

Any version before 25.2.0
affected

Credits

This issue was found by Stefano Libero and Andrea Palanca of Nozomi Networks Product Security team during an internal investigation. finder

References

security.nozominetworks.com/NN-2025:4-01

cve.org (CVE-2025-3718)

nvd.nist.gov (CVE-2025-3718)

Download JSON