EUVD-2025-209893
GHSA-qhx5-6j68-67q4
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
AnalysisAI
Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.
Technical ContextAI
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS subtype), rooted in insufficient server-side or output-encoding validation of the username input field in the Users management functionality. The application stores the unsanitized value and later reflects it into a deletion confirmation or group management page without HTML-encoding, allowing injected tags to be parsed and rendered by the victim's browser. Affected products are identified by CPE strings cpe:2.3:a:nozomi_networks:guardian and cpe:2.3:a:nozomi_networks:cmc, both covering all versions below 26.1.0. Guardian is Nozomi Networks' OT/IoT network visibility and security sensor platform; CMC (Central Management Console) is its centralized management layer. The platform's existing Content Security Policy configuration provides a meaningful partial defense, blocking execution of injected scripts and preventing direct information disclosure, but does not neutralize HTML element injection or anchor-tag-based open redirects.
RemediationAI
The vendor-released patch is Guardian 26.1.0 and CMC 26.1.0, which resolve the improper input validation in the username field. Organizations should upgrade to these versions or later as the primary remediation, referencing the vendor advisory at https://security.nozominetworks.com/NN-2026:5-01 for upgrade guidance. If immediate patching is not feasible, the following compensating controls should be considered: restrict administrative account creation to a minimal set of trusted operators and enable audit logging on user creation events to detect anomalous usernames containing angle brackets or HTML entities; enforce the principle of least privilege so that only a narrow set of accounts can both create users and manage groups, reducing the opportunity for the attack chain to complete; and review existing usernames in the platform for HTML content as a one-time detection sweep. Note that the existing CSP already limits the exploitability of this issue, but it does not eliminate the open redirect and phishing risk, so patching remains the definitive fix.
Share
External POC / Exploit Code
Leaving vuln.today