Open Redirect
CVE-2025-40893
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
AnalysisAI
Stored HTML injection in Nozomi Networks CMC and Guardian Asset List functionality allows unauthenticated remote attackers to inject malicious HTML tags into asset attributes via crafted network packets, enabling phishing and open redirect attacks when victims view affected assets. CVSS 5.3 (medium severity) with user interaction required; exploitation is bounded by existing Content Security Policy and input validation that prevent full XSS and direct information disclosure.
Technical ContextAI
The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Asset List feature of Nozomi Networks CMC and Guardian products. These network management and cybersecurity platforms ingest and display network traffic metadata; the vulnerability arises from inadequate sanitization of network packet data before it is stored and rendered in asset attribute fields within the web interface. Because the injected HTML is stored in the application state (Stored/Persistent injection rather than Reflected), any user viewing the affected asset triggers the payload. The CVSS 4.0 vector confirms network-accessible attack surface (AV:N), low complexity (AC:L), no authentication required (PR:N), and importantly, user interaction required (UI:P), meaning a victim must actively view the compromised asset. Mitigating controls-CSP policy and existing input validation-limit scope to confidentiality impact (VI:L) and low scope impact (SC:L), preventing full XSS code execution and direct data exfiltration.
RemediationAI
Consult the Nozomi Networks security advisory at https://security.nozominetworks.com/NN-2025:14-01 and the Siemens Product Certification portal at https://cert-portal.siemens.com/productcert/html/ssa-827968.html for vendor-released patches and exact fixed versions. Apply the recommended patch to all CMC and Guardian instances, particularly those exposed to untrusted network segments. As an interim mitigation, restrict access to the Asset List functionality to trusted users only, implement network segmentation to limit attacker ability to inject crafted packets destined for the affected products, and ensure Content Security Policy headers are fully enabled and correctly configured to prevent HTML payload rendering.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today