CVE-2025-59902
HTML Injection in NICE Chat Enables Phishing via Email Transcripts
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nice | nice_chat | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an HTML injection issue in the NICE Chat system. It allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of emails sent by the system, which can be exploited to perform phishing attacks, impersonation, or credential theft. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by enabling attackers to inject malicious HTML into email transcripts, which can lead to phishing attacks, impersonation of users or agents, and theft of credentials. This can compromise the security and trustworthiness of communications through the NICE Chat system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring chat sessions for unusual or suspicious input in the 'firstName' and 'lastName' parameters that include HTML tags or scripts. Since the vulnerability involves HTML injection in email transcripts, inspecting outgoing emails for unexpected HTML content in these fields can help identify exploitation attempts. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
No official solution or patch has been reported at this time. Immediate mitigation steps include monitoring and filtering input in the 'firstName' and 'lastName' parameters to prevent HTML injection, educating users about phishing risks, and scrutinizing email transcripts for suspicious content. Implementing input validation and sanitization on these parameters is recommended as a temporary measure. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to inject arbitrary HTML into email transcripts, which can lead to phishing, impersonation, or credential theft. Such security weaknesses can compromise the confidentiality and integrity of personal and sensitive data handled by NICE Chat.
This type of vulnerability may negatively impact compliance with data protection regulations like GDPR and HIPAA, which require organizations to implement appropriate security measures to protect personal and health information from unauthorized access or disclosure.
However, the provided information does not explicitly state the direct effects on compliance with these standards.