CVE-2025-59901
Authenticated Reflected XSS in Disk Pulse Enterprise /monitor_directory Endpoint
Publication date: 2026-01-28
Last updated on: 2026-01-28
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| disk_pulse | disk_pulse_enterprise | 10.4.18 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated reflected Cross-Site Scripting (XSS) issue in Disk Pulse Enterprise v10.4.18. It occurs in the '/monitor_directory?sid=' endpoint due to insufficient validation of the 'monitor_directory' parameter sent via POST. An attacker who is authenticated can exploit this by sending malicious content that is reflected back to an authenticated user, potentially allowing the attacker to steal information from the user's session.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute malicious scripts in the context of an authenticated user's session. This can lead to theft of sensitive information such as session tokens, which may result in unauthorized access to the user's account or data compromise.