A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured to use the Alerted Nodes Dashboard, and alerts are reported for the affected node, then the injected HTML may render in the browser of a victim user interacting with it, enabling phishing and possibly open redirect attacks.
Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
Low
Basic privileges needed
User Interaction
Passive
Minimal interaction
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Nozominetworks Cmc
cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*
|
— |
25.6.0
|
|
Nozominetworks Guardian
cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*
|
— |
25.6.0
|