CyberArk Endpoint Privilege Manager Role Management HTML Injection Vulnerability

Vulnerability

A code injection vulnerability has been identified in CyberArk Endpoint Privilege Manager SaaS version 24.7.1. An attacker with access to the Administration panel's 'Role Management' tab can inject code by adding a new role in the 'name' field. However, exploiting this vulnerability carries a reduced risk due to the need to bypass the Content-Security-Policy, which prevents JavaScript execution while still allowing HTML injection.

Impact

Exploitation of this vulnerability allows for HTML injection, which could be leveraged for Cross-site Scripting (XSS) attacks, according to the CVE-2025-22270 reference.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

1.0

exploitability

4.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

1.0

exploitability

4.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CyberArk Endpoint Privilege Manager Role Management HTML Injection Vulnerability

Vulnerability

Impact

Affected Products

CyberArk Endpoint Privilege Manager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating