CVE-2025-14499
Cross-Site Scripting in IceWarp gmaps Enables Authentication Bypass
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| icewarp | gmaps | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in IceWarp gmaps allows remote attackers to bypass authentication by exploiting improper validation of a parameter passed to the gmaps webpage. It involves injecting arbitrary scripts (Cross-Site Scripting) that can lead to authentication bypass when a user interacts by visiting a malicious page or opening a malicious file.
How can this vulnerability impact me? :
The vulnerability can allow attackers to bypass authentication on affected IceWarp installations, potentially giving them unauthorized access to the system. This can lead to full compromise, including confidentiality, integrity, and availability impacts.