{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-27706","assignerOrgId":"b6533044-ea05-4482-8458-7bddeca0d079","state":"PUBLISHED","assignerShortName":"Absolute","dateReserved":"2025-03-05T23:12:09.705Z","datePublished":"2025-05-28T21:01:08.548Z","dateUpdated":"2025-05-28T23:55:03.442Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","packageName":"Management Console","product":"Secure Access","vendor":"Absolute Security","versions":[{"lessThan":"13.54","status":"affected","version":"0","versionType":"Server"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"CVE-2025-27706 is a cross-site scripting vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith system administrator permissions can interfere with another system \nadministrator’s use of the management console when the second \nadministrator visits the page. Attack complexity is low, there are no \npreexisting attack requirements, privileges required are high and active\n user interaction is required. There is no impact on confidentiality, \nthe impact on integrity is low and there is no impact on availability."}],"value":"CVE-2025-27706 is a cross-site scripting vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith system administrator permissions can interfere with another system \nadministrator’s use of the management console when the second \nadministrator visits the page. Attack complexity is low, there are no \npreexisting attack requirements, privileges required are high and active\n user interaction is required. There is no impact on confidentiality, \nthe impact on integrity is low and there is no impact on availability."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":4.6,"baseSeverity":"MEDIUM","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"providerMetadata":{"orgId":"b6533044-ea05-4482-8458-7bddeca0d079","shortName":"Absolute","dateUpdated":"2025-05-28T21:01:08.548Z"},"references":[{"url":"https://www.absolute.com/platform/vulnerability-archive/cve-2025-27706"}],"source":{"discovery":"INTERNAL"},"title":"Cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.54","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-79","lang":"en","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-05-28T23:54:24.614310Z","id":"CVE-2025-27706","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-28T23:55:03.442Z"}}]}}