CVE-2025-3840

LOW

Saviynt OVA based Connect - Cross-Site Scripting via Login Form Action Parameter

Title source: llm
STIX 2.1

Description

An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.

References (1)

Core 1
Core References

Scores

CVSS v4 2.1
EPSS 0.0021
EPSS Percentile 10.9%
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (6)
Saviynt/OVA based Connect AlmaLinux-8.x_SC2.0-Client-2.0
Saviynt/OVA based Connect AlmaLinux-8.x_SC2.0-Client-3.0
Saviynt/OVA based Connect CentOS-7.x_SC2.0-Client-2.0
Saviynt/OVA based Connect CentOS-7.x_SC2.0-Client-3.0
Saviynt/OVA based Connect RHEL-8.x_SC2.0-Client-2.0
Saviynt/OVA based Connect RHEL-8.x_SC2.0-Client-3.0
Published Apr 21, 2025
Tracked Since Feb 18, 2026