Skip to main content

Kron PAM CVE-2025-5254

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-25 iletisim@usom.gov.tr
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:38 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kron Technologies Kron PAM allows Stored XSS.

This issue affects Kron PAM: before 3.7.

AnalysisAI

Stored Cross-Site Scripting in Kron Technologies Kron PAM (versions before 3.7) allows a highly privileged authenticated attacker to inject persistent malicious scripts into the application that execute in the browsers of other users who view the affected content. Despite the high privilege required to plant the payload, the impact is rated High on both confidentiality and integrity - a realistic concern in Privileged Access Management platforms where session hijacking or credential harvesting against super-administrators carries severe downstream risk. No public exploit code or active exploitation has been identified at time of analysis; EPSS is low at 0.18% (40th percentile).

Technical ContextAI

Kron PAM is a Privileged Access Management platform by Kron Technologies, used to govern, audit, and broker access to privileged accounts and critical infrastructure. CWE-79 (Improper Neutralization of Input During Web Page Generation) covers stored XSS - a class of vulnerability where user-supplied input is persisted to a data store and later rendered in the browser without adequate encoding or sanitization. In the context of a PAM platform, stored XSS is particularly dangerous because the application handles sensitive privileged session data, credentials, and audit records; script execution in a victim's browser context can abuse the application's own privileged API endpoints on the victim's behalf. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:U) indicates the injection point is accessible over the network, requires no special conditions, but does require a high-privilege account to write the payload.

Affected ProductsAI

Kron PAM by Kron Technologies is affected in all versions prior to 3.7. The advisory published by the Turkish national cybersecurity authority USOM (TR-25-0178) at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0178 and https://www.usom.gov.tr/bildirim/tr-25-0178 identifies the version boundary. No CPE string was provided in the NVD entry; the exact affected component or module within the PAM platform is not specified in available data.

RemediationAI

Upgrade Kron PAM to version 3.7 or later, which resolves the stored XSS condition per the vendor-aligned USOM advisory TR-25-0178. The fix version 3.7 is inferred from the advisory boundary ('before 3.7'); it has not been independently verified against a separate Kron Technologies release note or changelog, so confirm the upgrade path directly with the vendor. Until patching is possible, restrict write access to PAM objects (sessions, notes, labels, or any field that renders in other users' views) to only the minimum necessary privileged accounts, reducing the population of users who could plant a payload. Audit and sanitize any existing stored content in user-editable fields as a precaution. Enable Content Security Policy headers at the web application firewall or load balancer layer if not already in place, noting this is a partial mitigant and does not substitute for the patch.

Share

CVE-2025-5254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy