Nozomi Networks Guardian and CMC Stored HTML Injection Vulnerability in Smart Polling Functionality

A stored HTML injection vulnerability has been identified in the Smart Polling feature of Nozomi Networks Guardian and CMC versions prior to 26.1.0. This vulnerability arises from inadequate validation of an input parameter, allowing an authenticated user with limited privileges to upload malicious remote strategies containing HTML tags. When the affected strategy is viewed in Smart Polling, the injected HTML is rendered in the browser, potentially leading to phishing attacks and open redirects. However, full exploitation of cross-site scripting (XSS) and direct information disclosure is mitigated by existing input validation and Content Security Policy settings.

Impact

Exploitation allows for stored HTML injection, with the injected HTML rendered in the victim's browser. This could facilitate phishing attacks and open redirects, although full XSS exploitation and direct information disclosure are blocked by current input validation and Content Security Policy configurations.

Remediation

Users are advised to upgrade to Nozomi Networks Guardian or CMC version 26.1.0 or later.