Skip to main content

Secure Access CVE-2025-27706

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-05-28 SecurityResponse@netmotionsoftware.com
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:44 vuln.today
CVE Published
May 28, 2025 - 21:15 nvd
MEDIUM 4.6

DescriptionCVE.org

CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second administrator visits the page. Attack complexity is low, there are no preexisting attack requirements, privileges required are high and active user interaction is required. There is no impact on confidentiality, the impact on integrity is low and there is no impact on availability.

AnalysisAI

CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. CVE-2025-27706 is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.54. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second administrator visits the page. Attack complexity is low, there are no preexisting attack requirements, privileges required are high and active user interaction is required. There is no impact on confidentiality, the impact on integrity is low and there is no impact on availability. Affected products include: Absolute Secure Access. Version information: version 13.54..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

Share

CVE-2025-27706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy