Skip to main content

Alteryx Server CVE-2025-28243

| EUVD-2025-21049 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-07-10 cve@mitre.org
Code Injection Alteryx Server
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21049
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
PoC Detected
Jul 17, 2025 - 13:16 vuln.today
Public exploit code
CVE Published
Jul 10, 2025 - 19:15 nvd
HIGH 8.0

DescriptionCVE.org

An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component.

AnalysisAI

CVE-2025-28243 is a Stored/Reflected HTML Injection vulnerability in Alteryx Server 2023.1.1.460 affecting the pages component, enabling unauthenticated attackers to inject malicious scripts that execute in victims' browsers with user interaction. This vulnerability carries a CVSS 8.0 score with high confidentiality and integrity impact; while no KEV or confirmed EPSS data is provided in the source material, the network-accessible attack vector and relatively high CVSS indicate moderate-to-significant real-world risk depending on deployment scope and user exposure.

Technical ContextAI

The vulnerability exists in Alteryx Server's pages component (CPE likely: cpe:2.3:a:alteryx:alteryx_server:2023.1.1.460:*:*:*:*:*:*:*), which fails to properly sanitize user-supplied input before rendering it in HTML context. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability—the pages component accepts crafted script input without adequate output encoding or input validation, allowing attackers to inject arbitrary HTML and JavaScript. The vulnerability operates at the web application layer, suggesting the pages component lacks proper Context-Aware Output Encoding (CAOE) or Content Security Policy (CSP) headers to mitigate script execution.

RemediationAI

  1. Immediate Patch: Upgrade Alteryx Server to a version newer than 2023.1.1.460 (Alteryx should release a patched 2023.1.x or recommend upgrade to 2024.x LTS). Check Alteryx Security Advisory portal for official patch availability.
  2. Input Validation & Sanitization: If patch is unavailable, implement strict input validation on the pages component—whitelist allowed characters and reject or encode special HTML/JavaScript characters (<, >, ", ', script tags).
  3. Output Encoding: Enforce HTML entity encoding for all user-controlled data rendered in the pages component (e.g., &lt;, &gt;, &quot;).
  4. Content Security Policy (CSP): Deploy CSP headers (script-src 'self'; object-src 'none') to restrict inline script execution.
  5. Web Application Firewall (WAF): Deploy a WAF rule to detect and block requests containing script injection patterns targeting the pages endpoint.
  6. User Education: Warn users against clicking untrusted links to pages components from external sources.

Share

CVE-2025-28243 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy