CVE-2025-11925
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2025-11-07

Assigner: azure-access

Description
Incorrect Content-Type header in one of the APIs (`text/html` instead of `application/json`) replies may potentially allow injection of HTML/JavaScript into reply.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2025-11-07
Generated
2026-05-07
AI Q&A
2025-10-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-11925
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
azure-access blu-ic2_firmware to 1.20 (exc)
azure-access blu-ic2 *
azure-access blu-ic4_firmware to 1.20 (exc)
azure-access blu-ic4 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs because one of the APIs incorrectly sets the Content-Type header to 'text/html' instead of 'application/json'. This misconfiguration may allow an attacker to inject malicious HTML or JavaScript code into the API's reply, potentially leading to cross-site scripting (XSS) attacks.


How can this vulnerability impact me? :

The vulnerability can allow attackers to inject malicious HTML or JavaScript into API responses, which can lead to cross-site scripting (XSS) attacks. This can result in unauthorized actions on behalf of users, theft of sensitive information such as cookies or credentials, and compromise of user sessions or systems interacting with the affected APIs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart