Nuance Digital Engagement Platform EUVD-2025-17722

| CVE-2025-47977 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-10 [email protected]
XSS Nuance Digital Engagement Platform
8.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:40 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5.64.x
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17722
CVE Published
Jun 10, 2025 - 17:24 nvd
HIGH 8.2

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Nuance Digital Engagement Platform allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Cross-site scripting (XSS) vulnerability in the Nuance Digital Engagement Platform that allows unauthenticated attackers to inject malicious scripts into web pages generated by the platform. This vulnerability enables spoofing attacks and potential credential theft or session hijacking over the network with only user interaction required. With a CVSS score of 8.2 and network-accessible attack vector, this represents a significant risk to organizations deploying Nuance's engagement platform, particularly given the high impact on confidentiality and cross-site scope implications.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-Site Scripting'), the most prevalent web application vulnerability class. The root cause involves insufficient input validation and output encoding in the Nuance Digital Engagement Platform's web page generation mechanisms. The platform fails to properly sanitize user-controlled input before rendering it in HTML contexts, allowing attackers to inject arbitrary JavaScript code. The cross-site scope (S:C in CVSS vector) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, suggesting the injected scripts can interact with third-party services or access cross-origin resources. This is typical of reflected or stored XSS in customer-facing engagement platforms that process and display user-generated content, form submissions, or personalization parameters without adequate escaping.

RemediationAI

  1. Apply security patches released by Nuance for CVE-2025-47977 immediately - contact Nuance support or monitor their security advisories for patch availability and version guidance. 2) Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the affected platform endpoints. 3) Enable Content Security Policy (CSP) headers to restrict script execution to trusted sources only. 4) Perform input validation and output encoding reviews on all user-facing engagement platform components. 5) Implement HTTPOnly and Secure flags on session cookies to limit JavaScript access. 6) Monitor for exploitation attempts via web logs, looking for script injection patterns in request parameters and form submissions.

Share

EUVD-2025-17722 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy