CVE-2025-10280
HIGHSailPoint IdentityIQ < 8.3 - Cross-Site Scripting via Incorrect Content-Type Header
Title source: llmDescription
IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
References (1)
Core 1
Scores
CVSS v3
7.1
EPSS
0.0020
EPSS Percentile
9.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (4)
sailpoint/identityiq
8.3 (5 CPE variants)
sailpoint/identityiq
8.4 (3 CPE variants)
sailpoint/identityiq
8.5
sailpoint/identityiq
< 8.3
Published
Nov 03, 2025
Tracked Since
Feb 18, 2026