CVE-2025-59902 | THREATINT

Description

HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft.

PUBLISHED Reserved 2025-09-23 | Published 2026-02-03 | Updated 2026-02-03 | Assigner INCIBE

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

all versions

affected

Credits

Leopoldo Angulo Gallego (leoanggal1) finder

References

www.incibe.es/...cert/notices/aviso/html-injection-nice-chat

cve.org (CVE-2025-59902)

nvd.nist.gov (CVE-2025-59902)

Download JSON