CVE-2025-46545

Published: Apr 25, 2025Modified: Oct 15, 2025

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.

Affected (1)

Products: Sherparpa: Sherpa Orchestrator

Sherparpa

1 product

Sherpa Orchestrator

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sherparpa Sherpa Orchestrator	Version 141851

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://deiteriy.com

Source: cve@mitre.org

Not Applicable

https://gist.github.com/ArtemBrylev/5a0c76285d5fa9daf4ec753034185de7

Source: cve@mitre.org

Third Party Advisory

https://sherparpa.com

Source: cve@mitre.org

Product

https://twitter.com/ArtyomBrylev

Source: cve@mitre.org

Not Applicable

Timeline

No history available yet.