← Back to CVEs
CVE-2025-40893
MEDIUM6.1
Description
A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
CVE Details
CVSS v3.1 Score6.1
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionREQUIRED
Published12/18/2025
Last Modified4/14/2026
Sourcenvd
Honeypot Sightings0
Affected Products
nozominetworks:cmcnozominetworks:guardian
Weaknesses (CWE)
CWE-79
References
https://security.nozominetworks.com/NN-2025:14-01(prodsec@nozominetworks.com)
https://cert-portal.siemens.com/productcert/html/ssa-827968.html(0b142b55-0307-4c5a-b3c9-f314f3fb7c5e)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.