ByteOS Network

NVD Vulnerability Details :

CVE-2025-22270

Deferred

Source-cvd@cert.pl

Published At-28 Feb, 2025 | 13:15

Updated At-15 Apr, 2026 | 00:35

An attacker with access to the Administration panel, specifically the "Role Management" tab, can inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the required additional error that allows bypassing the Content-Security-Policy policy, which mitigates JS code execution while still allowing HTML injection. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	7.3	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 7.3

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-79	Secondary	cvd@cert.pl

CWE ID: CWE-79

Type: Secondary

Source: cvd@cert.pl

References

Hyperlink	Source	Resource
https://cert.pl/en/posts/2025/02/CVE-2025-22270/	cvd@cert.pl	N/A
https://cert.pl/posts/2025/02/CVE-2025-22270/	cvd@cert.pl	N/A
https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm	cvd@cert.pl	N/A