CVE-2025-5015 | THREATINT

Description

A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.

PUBLISHED Reserved 2025-05-20 | Published 2025-06-25 | Updated 2025-06-25 | Assigner icscert

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-79

Product status

Default status

unaffected

5.18

affected

5.03

affected

4.02 (custom)

affected

3.30

affected

Default status

unaffected

Any version before 1.22

affected

Credits

Joshua Dillon reported this vulnerability to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-175-06

cve.org (CVE-2025-5015)

nvd.nist.gov (CVE-2025-5015)

Download JSON