CVE-2025-8386
BaseFortify
Publication date: 2025-11-15
Last updated on: 2025-11-15
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vendor | application_server | 4.0 |
| vendor | application_server | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an authenticated user with the 'aaConfigTools' privilege to tamper with App Objects' help files and inject persistent cross-site scripting (XSS) code. When a victim user executes this malicious code, it can lead to horizontal or vertical privilege escalation. The exploit is limited to configuration-time operations within the IDE component of the Application Server and does not affect run-time components or operations.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with certain privileges to inject malicious scripts that persist and execute in the context of other users, potentially leading to unauthorized privilege escalation. This can compromise the security of the application and its users by allowing attackers to gain higher access rights or perform actions they should not be authorized to do.