CVE-2025-10280

HIGH

SailPoint IdentityIQ < 8.3 - Cross-Site Scripting via Incorrect Content-Type Header

Title source: llm
STIX 2.1

Description

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).

Scores

CVSS v3 7.1
EPSS 0.0020
EPSS Percentile 9.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (4)
sailpoint/identityiq 8.3 (5 CPE variants)
sailpoint/identityiq 8.4 (3 CPE variants)
sailpoint/identityiq 8.5
sailpoint/identityiq < 8.3
Published Nov 03, 2025
Tracked Since Feb 18, 2026