CVE-2025-46545

In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://deiteriy.com	Not Applicable
https://gist.github.com/ArtemBrylev/5a0c76285d5fa9daf4ec753034185de7	Third Party Advisory
https://sherparpa.com	Product
https://twitter.com/ArtyomBrylev	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:sherparpa:sherpa_orchestrator:141851:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-25 03:15

Updated : 2025-10-15 18:30

NVD link : CVE-2025-46545

Mitre link : CVE-2025-46545

CVE.ORG link : CVE-2025-46545

JSON object : View

Products Affected

sherparpa

sherpa_orchestrator

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-46545", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2025-04-25T03:15:20.110", "references": [{"url": "https://deiteriy.com", "tags": ["Not Applicable"], "source": "[email protected]"}, {"url": "https://gist.github.com/ArtemBrylev/5a0c76285d5fa9daf4ec753034185de7", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://sherparpa.com", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://twitter.com/ArtyomBrylev", "tags": ["Not Applicable"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires."}, {"lang": "es", "value": "En Sherpa Orchestrator 141851, la funci\u00f3n para agregar o actualizar licencias permite que un administrador realice ataques XSS almacenado mediante el par\u00e1metro de nombre. El payload XSS puede ejecutarse al expirar la licencia."}], "lastModified": "2025-10-15T18:30:33.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sherparpa:sherpa_orchestrator:141851:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B96DA20-9284-4FEF-957C-211EB3F22F76"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}