CVE-2025-10280

Published: Nov 3, 2025Modified: Nov 12, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).

Affected (10)

Products: Sailpoint: Identityiq

Sailpoint

1 product

Identityiq

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Sailpoint Identityiq	Before 8.3
Sailpoint Identityiq	Version 8.3
Sailpoint Identityiq	Version 8.3 patch1
Sailpoint Identityiq	Version 8.3 patch2
Sailpoint Identityiq	Version 8.3 patch4
Sailpoint Identityiq	Version 8.3 patch5
Sailpoint Identityiq	Version 8.4
Sailpoint Identityiq	Version 8.4 patch1
Sailpoint Identityiq	Version 8.4 patch2
Sailpoint Identityiq	Version 8.5

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280

Source: psirt@sailpoint.com

Vendor Advisory

Timeline

No history available yet.