CVE-2025-28243

| EUVD-2025-21049 HIGH
2025-07-10 [email protected]
8.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21049
PoC Detected
Jul 17, 2025 - 13:16 vuln.today
Public exploit code
CVE Published
Jul 10, 2025 - 19:15 nvd
HIGH 8.0

Tags

Code Injection Alteryx Server

Description

An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component.

Analysis

CVE-2025-28243 is a Stored/Reflected HTML Injection vulnerability in Alteryx Server 2023.1.1.460 affecting the pages component, enabling unauthenticated attackers to inject malicious scripts that execute in victims' browsers with user interaction. This vulnerability carries a CVSS 8.0 score with high confidentiality and integrity impact; while no KEV or confirmed EPSS data is provided in the source material, the network-accessible attack vector and relatively high CVSS indicate moderate-to-significant real-world risk depending on deployment scope and user exposure.

Technical Context

The vulnerability exists in Alteryx Server's pages component (CPE likely: cpe:2.3:a:alteryx:alteryx_server:2023.1.1.460:*:*:*:*:*:*:*), which fails to properly sanitize user-supplied input before rendering it in HTML context. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability—the pages component accepts crafted script input without adequate output encoding or input validation, allowing attackers to inject arbitrary HTML and JavaScript. The vulnerability operates at the web application layer, suggesting the pages component lacks proper Context-Aware Output Encoding (CAOE) or Content Security Policy (CSP) headers to mitigate script execution.

Affected Products

- product: Alteryx Server; affected_version: 2023.1.1.460; cpe: cpe:2.3:a:alteryx:alteryx_server:2023.1.460:*:*:*:*:*:*:*; affected_component: Pages component; status: Vulnerable

Remediation

1. **Immediate Patch**: Upgrade Alteryx Server to a version newer than 2023.1.1.460 (Alteryx should release a patched 2023.1.x or recommend upgrade to 2024.x LTS). Check Alteryx Security Advisory portal for official patch availability. 2. **Input Validation & Sanitization**: If patch is unavailable, implement strict input validation on the pages component—whitelist allowed characters and reject or encode special HTML/JavaScript characters (<, >, ", ', script tags). 3. **Output Encoding**: Enforce HTML entity encoding for all user-controlled data rendered in the pages component (e.g., &lt;, &gt;, &quot;). 4. **Content Security Policy (CSP)**: Deploy CSP headers (script-src 'self'; object-src 'none') to restrict inline script execution. 5. **Web Application Firewall (WAF)**: Deploy a WAF rule to detect and block requests containing script injection patterns targeting the pages endpoint. 6. **User Education**: Warn users against clicking untrusted links to pages components from external sources.

Priority Score

60
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +40
POC: +20

Share

CVE-2025-28243 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy