CVE-2025-11925
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2025-11-07

Assigner: azure-access

Description
Incorrect Content-Type header in one of the APIs (`text/html` instead of `application/json`) replies may potentially allow injection of HTML/JavaScript into reply.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2025-11-07
Generated
2026-06-16
AI Q&A
2025-10-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11925
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
azure-access blu-ic2_firmware to 1.20 (exc)
azure-access blu-ic2 *
azure-access blu-ic4_firmware to 1.20 (exc)
azure-access blu-ic4 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because one of the APIs incorrectly sets the Content-Type header to 'text/html' instead of 'application/json'. This misconfiguration may allow an attacker to inject malicious HTML or JavaScript code into the API's reply, potentially leading to cross-site scripting (XSS) attacks.

Impact Analysis

The vulnerability can allow attackers to inject malicious HTML or JavaScript into API responses, which can lead to cross-site scripting (XSS) attacks. This can result in unauthorized actions on behalf of users, theft of sensitive information such as cookies or credentials, and compromise of user sessions or systems interacting with the affected APIs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11925. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart